PHP: How to hide the password for database connection/email connection statement?

Question

I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the references to those plain text passwords is only through objects of those classes. Off late, I have started to wonder if this is secure enough? I have tried my best (acting as a malicious person) to try and read the contents of the two said php files but was not able to do so. I am not very conversant with developing secure code, so not sure what should be my approach to make sure that these passwords never get exposed. Could any one please suggest best practices to develop php code that can contain such sensitive information securely.

Answer 1

• Put configurable items in a separate configuration file, above your public web directory
• Make sure you have set correct file permissions to your files
• Check your web application for local (and remote) file inclusion
• Have your server up-to-date

Having your passwords at a safe spot is not the complete solution, you'll need to have your complete PHP application secure, and nobody unauthorized should be able to get root/administrator access to the server.