Make all mails going to these people go through a form and use the mail function. If the mail addresses must be displayed in some public place, you can get all fancy and protect them from e-mail harversters by producing them in image format. Warning: there's a small learning curve here. Look at the php image functions, your server will likely have GD2, what you need for these. Remember that the images are a separate php file - your page that displays the info etc does <img src="imagestuff.php?id=236408">, and the id is what references the image. The php file called imagestuff.php will begin with header('Content-Type: image/png'); and then it will call functions imagecreate, some function to give the background a color or copy on a background image, some function to produce the text of the image, and then imagepng.

Alternately, you can do this all differently, using imagepng to save the image with some kind of hashed or id name, and your script knows the hashed or id name, and calls up the image. This is somewhat more advanced php than the other stuff we've been talking about, but you seem like a quick learner! And the image functions are really fun, too. Rasmus Lehrdorf, the 'instigator' of PHP, has done a lot in the last year trying to promote the image functions, probably mainly since they're so fun.

thanks minckler...

that was alot info there. not sure about being a quick learner tough...but thanks for the comliment still :)

well, the adds are not to be public. there is only a sign up form and then the adds will be sotred somewhere. and this is where i was thinking about security issues. i could save them in a txt file and im sure they will be relatively secure. but u know...just in case anyone would wanto to take a look at whats on the server. i was thinking of a way of avoiding, i think what is called, social engineering, or something.

and as u suggest, the mails will go trough a form. with only admin access off course.

you do have sparked sparked my interest in the image fucntions tough, and i will do some playing around as soon as i get time...thanks

kumar

Ok, if they're going in a text file, put the text file 'outside the webroot'. Meaning, say you have a server directory structure with a 'public_html' directory where your html goes, and your script is at mysite.com/mailwhatever.php, make a directory at the same level of public_html called otherstuff and grab this file with fopen('../otherstuff/textfile.txt', 'r'); or whatever else you're using. To make sure it's secure, you have to make sure that when you use dynamic includes, you have a pretty watertight system so no user input can be stuck into url's or post fields or whatever to make your script include any other files than the ones it's supposed to. There's nothing you can do against a 'social engineering' attack except inform everyone who has access to the server about these types of attacks and never to give information out unless things are absolutely certain, e.g. with a secret keyword or whatever. Happy coding!

but info stored in db would be easier to protext right? i just figured i could get access to mysql, in ehich case storeing the adds in a db could save a lot of headache as far as the security is concerned.

db's can also be subject to something called 'sql injection' - you need to be sure any user input is 'cleaned', first - stripslashes([each post and get variable]) if magic_quotes_gpc(); then mysql_real_escape_string() for each of these that somehow or other get into one of your queries. And you need to make sure you use quotes properly - around each string - like 'SELECT * FROM peanuts WHERE type="'.$type.'"'.

File/db choice really depends on how well each of these is secured. Securing files would involve making sure they are .php files, not txt, having them actually parsed and putting the sensitive stuff there in the form of variables, setting a constant at the base file and checking if this constant is set in the secured files, and making sure all dynamically included files are screened by some kind of naming convention.

If it's just e-mail addresses, and not credit card info or real sensitive stuff, either should be fine. No e-mail harvesters are going to go the pain of trying an sql injection or cross-site scripting attack just to try to sell more people viagara. However, whatever you do, you want to have these security issues stopped up anyways, since it'll be more than just e-mail addresses the hackers are after.