PHP Login system hard coded username and password

Question

I had to do a basic login system to protect a page, and I have no access to database so i store the username and password hard coded in php page.

My question is, can thi

Answer 1

My comments are getting lengthy, so I'll just move them here. I would not recommend you put the username and password in the same file. If PHP ever fails to process the page, it will be dumped as plain text to the user. Even for database connections (where the un/pwd almost have to be stored plain text), most people don't put the information in the same file.

You have a couple options:

1. Make a separate PHP file that sets your UN/PWD variables, put it somewhere that isn't accessible from outside your server, and include it in index.php. In this case, I wouldn't include the file until right when you're going to compare the variables and let the local scope dump it as soon as possible.

2. Since this is such basic authentication, you could use Apache's built in password authentication module.

Answer 2

in my opinion, this solution is safe enough when you don't plan to use it forever. What would I check is setting of your web server - some text editors makes backup copies of edited files, like index.php~, index.php.bkp or so. Make sure whether your web server do not serve those files, if any.

Answer 3

The problem with temporary solutions is that they've never temporary.

Never hard code passwords. Some of the reasons are:

• It is harder to keep source code secret than it is a key.
• Any vulnerabilities in your site that allow reading of source code may reveal the password.
• Passwords from development will end up in production.
• It is impossible to change passwords without redeploying.