PHP: How to hide the password for database connection/email connection statement?

I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the references to those plain text passwords is only through objects of those classes. Off late, I have started to wonder if this is secure enough? I have tried my best (acting as a malicious person) to try and read the contents of the two said php files but was not able to do so. I am not very conversant with developing secure code, so not sure what should be my approach to make sure that these passwords never get exposed. Could any one please sugges开发者_JS百科t best practices to develop php code that can contain such sensitive information securely.

• Put configurable items in a separate configuration file, above your public web directory
• Make sure you have set correct file permissions to your files
• Check your web application for local (and remote) file inclusion
• Have your server up-to-date

Having your passwords at a safe spot is not the complete solution, you'll need to have your complete PHP application secure, and nobody unauthorized should be able to get root/administrator access to the server.

Firstly, I'd look at using OAuth for accessing GMail if at all possible - it means you don't have to store credentials at all, and provides some level of protection in case your server does get compromised.

I would also look at the answers to this question.

Finally, if your site is on the public internet, it's worth reading up on at least the basics of internet security, and especially securing web applications. There are all sorts of ways things can go wrong. I like the "hacking exposed" books.

1. Don't store passwords in files, because someone will eventually check that file into source control. Or someone will set a permission incorrectly.

2. Run the application with its own O/S user account

3. Put the passwords in an O/S environment variable for the application user (not a system environment variable)