The short answer is both No, and It Depends.

简短的回答是否定的，并且视情况而定。

It's almost never a good idea to store passwords in plain text, especially in a web accessible location, if for noother reason than a simple server misconfiguration or an echo in the wrong place could expose it to the world.

以纯文本形式存储密码几乎从来都不是一个好主意，尤其是在 Web 可访问的位置，如果除了简单的服务器配置错误或错误位置的回声可能会将密码暴露给世界之外，没有其他原因。

If you MUST store a password, (which is possible) you could try to store it outside the webroot, eg /var/www/public_html/Put your codez here
/var/www/includes/Put your passwords here

如果您必须存储密码（这是可能的），您可以尝试将其存储在 webroot 之外，例如 /var/www/public_html/将您的代码
/var/www/includes/放在此处将您的密码放在此处

Even better than that would be to have the system that you need the password for (eg a database wrapper ) return an object already instantiated. so rather than asking for $databasepasswordyou ask for a PDO object, and store your database classes outside the webroot.

比这更好的是让您需要密码的系统（例如数据库包装器）返回一个已经实例化的对象。所以，而不是要求$databasepassword您要求 PDO 对象，并将您的数据库类存储在 webroot 之外。

The It Depends comes from what attack vectors would cause someone to have access to that password text, and would it require them to be already inside your filesystem, if so, you're probably screwed anyway.

这取决于哪些攻击媒介会导致某人访问该密码文本，并且是否要求它们已经存在于您的文件系统中，如果是这样，无论如何您都可能被搞砸了。

Also, if its the password to your supa-secrit subscriber content, meh, all you've lost is some subscription fees, if its your database, you may have a problem, if it's your online banking details, um good for you.

另外，如果它是您的 supa-secrit 订阅者内容的密码，嗯，您失去的只是一些订阅费，如果是您的数据库，您可能会遇到问题，如果是您的网上银行详细信息，那么对您有好处。

How valuable is the thing the password is protecting?

密码保护的东西有多大价值？

Depending on how you define safe, any approach has its positive and negative aspects.

根据您如何定义安全，任何方法都有其积极和消极的方面。

If you really want to store a password in your source, it might be a good idea to do something of the sort:

如果您真的想在源中存储密码，那么执行以下操作可能是个好主意：

File: config.php

文件：config.php

if( ! defined('IN_CODE') ) die( 'Hacking attempt' );

define( 'PASSWORD_HASH', '098f6bcd4621d373cade4e832627b4f6' );

File: index.php

文件：index.php

define( 'IN_CODE', '1' );

include( 'passwd.php' );

if( md5($password) == PASSWORD_HASH )
...

Plain-text is never a good idea, always store a hash of the password you want to store.

纯文本从来都不是一个好主意，始终存储您要存储的密码的哈希值。

Furthermore, try to seperate defines like this from your main sourcefile.

此外，尝试将这样的定义与您的主源文件分开。

Usually they can't see it. But if something bad happens on server there's a big possibility that server will return your php code in plain text w/o executing it and therefore user will see all source of that file and also your password.

通常他们看不到它。但是，如果服务器上发生了不好的事情，服务器很可能会以纯文本形式返回您的 php 代码，而无需执行它，因此用户将看到该文件的所有来源以及您的密码。

I would store password somewhere where it's not on document root (Cannot be open in browser) and then open that file with php and read the content (password). Or if you have multiple passwords/users, I'd store them in database for fast access.

我会将密码存储在文档根目录之外的某个地方（无法在浏览器中打开），然后用 php 打开该文件并读取内容（密码）。或者，如果您有多个密码/用户，我会将它们存储在数据库中以便快速访问。

If you want to use the file method directory layout should look something like this (depneds on server)

如果你想使用文件方法目录布局应该看起来像这样（取决于服务器）

/public_html/index.php

/password.txt

/public_html/index.php

/密码.txt

$myFile = $_SERVER['DOCUMENT_ROOT'] + "/../password.txt";
if file_exists($myFile) { 
   $fh = fopen($myFile, 'r');
   $password = fgets($fh);
   fclose($fh);
} else die("No password file");
if ($user_input == $password) {
   ...... Authentication succeeded ..........
   ......your relatively protected code .....
} else die("Wrong password");

If you want even more security instead of storing password as text in that text file. Sore it's hash and then when you want to compare it with user input generate hash from the user input and compare it to the password's hash you loaded from text file

如果您想要更高的安全性而不是将密码作为文本存储在该文本文件中。它是散列，然后当您想将其与用户输入进行比较时，从用户输入生成散列并将其与您从文本文件加载的密码散列进行比较

sha1($user_input) == $password_from_txt

As long as your PHP installation works as it should, this is no less secure than any other method. I would prefer named constant (define) over variable. Additionally you might consider storing a hash of the password, instead of plain password. This prevents stealing your passwords even if the site is compromised.

只要您的 PHP 安装工作正常，这并不比任何其他方法安全。我更喜欢命名常量（定义）而不是变量。此外，您可能会考虑存储密码的哈希值，而不是普通密码。即使网站遭到入侵，这也可以防止窃取您的密码。

As for being bad practice, it depends. If you need to store just one password, this approach is ok. Storing them outside document root may give a false feeling of extra security; the document root is no more absolute than any other setting of the server.

至于不好的做法，这取决于。如果您只需要存储一个密码，这种方法是可以的。将它们存储在文档根目录之外可能会给人一种额外的安全感；文档根目录并不比服务器的任何其他设置更绝对。

Unless the site itself is compromised and now so are all the things those passwords grant access to (your DB, perhaps?).

除非站点本身受到损害，现在这些密码授予访问权限的所有内容（也许是您的数据库？）也是如此。

It depends how you define 'safe'.

这取决于您如何定义“安全”。

You are right in that a general user won't see it.

你是对的，一般用户不会看到它。

However it is definitely a bad practice; if your site is compromised, what else will these passwords give access to? I'd say at a bare minimum you should be storing a hash of the password, not the plaintext.

然而，这绝对是一种不好的做法；如果您的网站遭到入侵，这些密码还能访问哪些内容？我会说至少你应该存储密码的散列，而不是明文。

Sometimes it just has to be f.e. for a mail application where you can only login with the plain password and not with a hash. And if your application doesn't have security issues it should not affect you.

有时，对于只能使用普通密码而不是散列登录的邮件应用程序来说，它必须是 fe。如果您的应用程序没有安全问题，它应该不会影响您。

I belive that most of the times plain text password would be database password as MySQL, for exmaple, won't accept hash for authentication.

我相信大多数时候纯文本密码将是数据库密码，例如 MySQL，不会接受哈希进行身份验证。

As mentioned before best solution is to keep PHP config file with password outside the webroot.

如前所述，最佳解决方案是将带有密码的 PHP 配置文件保留在 webroot 之外。

If you are worried that someone may see your password while you viewing the file you can simply make it unreadable for human using base64 funciton.

如果您担心有人在您查看文件时可能会看到您的密码，您可以使用 base64 函数简单地使其不可读。

See this postfor details and even small utility for Windows, Linux and Mac that makes it easier.

请参阅这篇文章了解详细信息，甚至是适用于 Windows、Linux 和 Mac 的小实用程序，这使它变得更容易。