Is it ever ok to store password in plain text in a php variable or php constant?

Question

As per question, is it safe to store passwords on php pages such as

$password = \'pa$$w0rd\';

If the users can\'t see it, it\'s safe, right

Answer 1

Usually they can't see it. But if something bad happens on server there's a big possibility that server will return your php code in plain text w/o executing it and therefore user will see all source of that file and also your password.

I would store password somewhere where it's not on document root (Cannot be open in browser) and then open that file with php and read the content (password). Or if you have multiple passwords/users, I'd store them in database for fast access.

If you want to use the file method directory layout should look something like this (depneds on server)

/public_html/index.php

/password.txt

$myFile = $_SERVER['DOCUMENT_ROOT'] + "/../password.txt";
if file_exists($myFile) { 
   $fh = fopen($myFile, 'r');
   $password = fgets($fh);
   fclose($fh);
} else die("No password file");
if ($user_input == $password) {
   ...... Authentication succeeded ..........
   ......your relatively protected code .....
} else die("Wrong password");

If you want even more security instead of storing password as text in that text file. Sore it's hash and then when you want to compare it with user input generate hash from the user input and compare it to the password's hash you loaded from text file

sha1($user_input) == $password_from_txt