Is it ever ok to store password in plain text in a php variable or php constant?

Solution 1

The short answer is both No, and It Depends.

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for no other reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg /var/www/public_html/ Put your codez here
/var/www/includes/ Put your passwords here

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepassword you ask for a PDO object, and store your database classes outside the webroot.

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

How valuable is the thing the password is protecting?

Solution 2

Depending on how you define safe, any approach has its positive and negative aspects.

If you really want to store a password in your source, it might be a good idea to do something of the sort:

File: config.php

if( ! defined('IN_CODE') ) die( 'Hacking attempt' );

define( 'PASSWORD_HASH', '098f6bcd4621d373cade4e832627b4f6' );

File: index.php

define( 'IN_CODE', '1' );

include( 'passwd.php' );

if( md5($password) == PASSWORD_HASH )
...

Plain-text is never a good idea, always store a hash of the password you want to store.

Furthermore, try to seperate defines like this from your main sourcefile.

Solution 3

Usually they can't see it. But if something bad happens on server there's a big possibility that server will return your php code in plain text w/o executing it and therefore user will see all source of that file and also your password.

I would store password somewhere where it's not on document root (Cannot be open in browser) and then open that file with php and read the content (password). Or if you have multiple passwords/users, I'd store them in database for fast access.

If you want to use the file method directory layout should look something like this (depneds on server)

/public_html/index.php

/password.txt

$myFile = $_SERVER['DOCUMENT_ROOT'] + "/../password.txt";
if file_exists($myFile) { 
   $fh = fopen($myFile, 'r');
   $password = fgets($fh);
   fclose($fh);
} else die("No password file");
if ($user_input == $password) {
   ...... Authentication succeeded ..........
   ......your relatively protected code .....
} else die("Wrong password");

If you want even more security instead of storing password as text in that text file. Sore it's hash and then when you want to compare it with user input generate hash from the user input and compare it to the password's hash you loaded from text file

sha1($user_input) == $password_from_txt