How to safely store a password inside PHP code?

Question

How can I have a password inside PHP code and guarantee that no one viewing the page in the browser can retrieve it?

Is:

Answer 1

The best way is to store password above your root directory. If you decide to have password in php file then no body would able to view because php files are excuted in the server. But if the server does not support php then those files will be delivered as text files and any one can see the password.

Answer 2

Let's say your password is "iamanuisance". Here's how to store the password in your code. Just slip this in your header somewhere.

//calculate the answer to the universe
${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'),
2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c',
0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'),
ord('#')-9,true),'117210521152097211020992101')))));function p(){return 
implode('',array_reverse(str_split('drowssap')));}

Just in case it's not completely obvious, you can then easily access the password later on as $password. Cheers! :P

Answer 3

I generally do not trust raw PHP code for passwords for services. Write a simple PHP extension to release the password. This ensures that the working set is password free, and it makes it an extra step for a compromised machine to grant access to the hacker to the service.

Answer 4

PHP code blocks cannot be retrieved by clients unless they output something. Observe:

<?php
   if($password=="abcd")
       echo "OK";
   else
       echo "Wrong.";
?>

User can get either OK or Wrong nothing else.

Answer 5

Your PHP code will (baring configuration errors) be processed on the server. Nothing inside the <?php ?>; blocks will ever be visible on the browser. You should ensure that your deployment server will not show syntax errors to the client - i.e. the error reporting is set to something not including E_PARSE, lest a hasty edit of live code (admit it, we all do them :) leak some information.

Edit: The point about storing them in a file outside the document root to avoid exposure if your PHP configuration breaks is certainly valid. When I used PHP, I kept a config.inc file outside of htdocs that was required at runtime, and exported configuration specific variables (i.e. passwords).

Answer 6

There are noumerous ways of doing this. However, people will not be able to view the password you stored (as plain text) in a PHP file, since PHP is a server side language which means that, as long as you don't print it out to the browser, it will remain invisible.

So it's 'safe'.