Is PHP safe in regargs to people downloading your scripts?

Just a security question here, Is it possible for people to download your uncompiled PHP scripts and view the code. I only ask because I recently did a web development project whre I stored the password to an admin page inside of the PHP script. Is this safe, if not, how would I go about doing this short of saving it in a database.

Is PHP safe in regargs to people downloading your scripts?
If you are the only user that has access to the server in "shell" mode, then it may be safe to do this.





If you are hosting the site on a shared server where others have access to the root password for the server, you are not safe.





Please do not store name, address, SSN, credit card numbers, etc in your database if your are on a shared server where someone else has access to the root password. That could place you on the 10pm News on TV. I am sure that you do not want to be there for that reason.
Reply:First of all what do you mean inside of a PHP script?


Is it something like (if $passwd==1234) $usname = admin, please never do that in any project ever. you could have use ".htacess" to do the required job, it is much safer than the above option.


As far as i know unless something is *wrong* with the web server/ you have an open shell sitting in your server and the permissions are more of a joke rather than for security then people cant see your "uncompiled " PHP code.


Not unless you want people to see the code any way.
Reply:No, it's not safe. It is, however, VERY common.





I wrote an article about this at one point:





http://www.geniegate.com/art/pdf/keep-it...





Basically, if it's in web space, it's not secure.





The way around it is to use a hosting provider that supplies some kind of "off web" space, (I usually use the HOME directory) something like a "WEB-INF/" directory of a java servlet.





You're in good company though, seems everyone (including myself a few times) stores these kinds of credentials in "web space". A lot of customers want this sort of thing as it makes installation easier. (also, makes it easier to backup the stuff)





The trouble is, web servers can (and do) become mis-configured, in such a way as to treat php or cgi scripts as plain text documents, dumping the source to the browser. I've seen it happen dozens of times.





This is a real common issue. Servlets address it with a "WEB-INF/" directory, in php/cgi, there is no such standard place.
Reply:Whatever you do you should never store a password in a script, except the mysql or similar password for database connection, and even then only if the database has no external connections. If you write the scripts into a different directory (maybe scripts) from the actual directory of the index page, then just include them from a script with the same name in the main directory, if anyone downloads anything they only see the html. Passwords should be stored encrypted in the database, then compare the encrypted password that is entered with the stored copy.