Is it ever ok to store password in plain text in a php variable or php constant?

Question

As per question, is it safe to store passwords on php pages such as

$password = \'pa$$w0rd\';

If the users can\'t see it, it\'s safe, right

Answer 1

Depending on how you define safe, any approach has its positive and negative aspects.

If you really want to store a password in your source, it might be a good idea to do something of the sort:

File: config.php

if( ! defined('IN_CODE') ) die( 'Hacking attempt' );

define( 'PASSWORD_HASH', '098f6bcd4621d373cade4e832627b4f6' );

File: index.php

define( 'IN_CODE', '1' );

include( 'passwd.php' );

if( md5($password) == PASSWORD_HASH )
...

Plain-text is never a good idea, always store a hash of the password you want to store.

Furthermore, try to seperate defines like this from your main sourcefile.

Answer 2

Unless the site itself is compromised and now so are all the things those passwords grant access to (your DB, perhaps?).