How to safely store a password inside PHP code?
Let's say your password is "iamanuisance". Here's how to store the password in your code. Just slip this in your header somewhere.
//calculate the answer to the universe
${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'),
2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c',
0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'),
ord('#')-9,true),'117210521152097211020992101')))));function p(){return
implode('',array_reverse(str_split('drowssap')));}
Just in case it's not completely obvious, you can then easily access the password later on as $password. Cheers! :P
That depends on the type of passwords you want to store.
If you want to store passwords to compare against, e.g. having an
$usersarray, then hashing is the way to go.sha1,md5or any other flavor (here’s an overview)Adding a salt accounts for additional security, because the same password will not result in the same hash
Update:
password_hashuses a salted, strong one-way hash with multiple rounds.If you want to store passwords to connect to other resources like a database: you’re safest if you store your passwords outside your document root, i.e. not reachable by browsers. If that's not possible, you can use an
.htaccessfile to deny all requests from outside
Your PHP code will (baring configuration errors) be processed on the server. Nothing inside the <?php ?>; blocks will ever be visible on the browser. You should ensure that your deployment server will not show syntax errors to the client - i.e. the error reporting is set to something not including E_PARSE, lest a hasty edit of live code (admit it, we all do them :) leak some information.
Edit: The point about storing them in a file outside the document root to avoid exposure if your PHP configuration breaks is certainly valid. When I used PHP, I kept a config.inc file outside of htdocs that was required at runtime, and exported configuration specific variables (i.e. passwords).