using localhost for security

Is it a good idea to use localhost/127.0.0.1/::1 for security to allow a script to access content within the site, whilst presenting username/password login for anything else?

For example,

if(in_array($_SERVER["SERVER_ADDR"], array("127.0.0.1","::1"))){
  // allow internal access
  // (ie. scripts on the same site can access this protected data)
} else if(!empty($_POST['user']) && !empty($_POST['开发者_如何学Cpass'])){
  // check if username and password are correct
  // - if yes - allow external access (ie. perhaps from an app or 3rd party site)
  // - if not - deny access
} else {
  // deny access
}

I know I could probably use a token system to check if the request was internally made, but if I were to distribute the script, surely someone could look at the script and make a token to 'break in'.

I guess if a token system is therefore required, it would be best to generate an encryption key for each user that wants to use the script. Would an encryption key be safe to store within a PHP file or better to store in a database? What is the best way to store it?

Yes it's relatively safe to do, as long as you have full access control over your server (No shared hosting whatsoever).

Your code has a few flaws though, you'll want to check $_SERVER['REMOTE_ADDR'] to be localhost/127.0.0.1/::1. Not $_SERVER['SERVER_ADDR'].

Then on the second if statement you'll have to check for isset($_POST['user']) and isset($_POST['pass']) before using empty() on a possibly unexistent index.