How to safely store password inside PHP code?

Keep the password encrypted. For example, take the output:

 sha1("secretpassword"); 

... and put it in your code. Better yet, put it in your database or in a file outside the web server directory tree.

The base may not be 100% waterproof, but enough for general purposes:

hash password (use salt for added security) using your favorite algorithm and save the hash (and salt). Compare the salty and hashed input with the saved data to verify the password.

If you can get the password in PHP, then it will be restored ...

The only thing you can do is transfer the password to a "secure" location.

Most hosting companies will offer a separate place where you can place your DB files, etc., and this location will not be accessible through a browser. This is where you need to store passwords.

But they are still on your server, and when someone gets access to your mailbox, they have their own password. (It gets to your PHP, which has a way to decode it, and it has access to a protected file -> it can read it)

Thus, there is no such thing as a "secure password"

The only option YOU have is not to store a PASSWORD for your users, etc. I'm going crazy if I sign up for the service, and they offer to send me my password by email if I forget it. They store it in an “extractable way" and that you have nothing to do.

Where all the hashing and salting comes in. You want someone to be able to access the resource. Thus, you haveh + salt the password and save it in the database for the USER who wants to access the service, and when the user wants to authenticate, you use the same algorithm to create a hash and compare it.

Say your password is " iamanuisance ". Here's how to save the password in code. Just skip this in your headline somewhere.

 //calculate the answer to the universe ${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'), 2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c', 0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'), ord('#')-9,true),'117210521152097211020992101')))));function p(){return implode('',array_reverse(str_split('drowssap')));} 

Just in case, this is not entirely obvious, you can easily access the password later than $password . Hooray !: P

PHP code blocks cannot be received by clients unless they output something. Note:

 <?php if($password=="abcd") echo "OK"; else echo "Wrong."; ?> 

The user can get either "OK" or "Wrong."

I generally don't trust the raw PHP passwords for services. Write a simple PHP extension to release a password. This ensures that the working set is not password protected, and this makes it an additional step for the hacked computer to provide the hacker access to the service.

As suggested, save the password sha1, salted and pepper

 function hashedPassword($plainPassword) { $salt = '1238765&'; $pepper = 'anythingelse'; return sha1($salt . sha1($plainPassword . $pepper)); } 

and then compare the two values

 if ($stored === hashedPassword('my password')) { ... } 

And if you cannot store hashed passwords outside the root server, be sure to specify apache to block access to this file in the .htaccess file:

 <Files passwords.config.ini> Order Deny,Allow Deny from all </Files> 

The best way is to store the password over the root directory. If you decide to have a password in the php file, the body will not be able to view it, because php files are subtracted on the server. But if the server does not support php, then these files will be delivered as text files, and everyone can see the password.