No need for that.
The people who must access the connection configuration file with the bank (or any other application within the application that uses password or security tokens) must be the ones who have authorization to do so.
You don’t need to focus on hiding the password in your script, but increase the security of your application.
The people who would usually be able to see the password of this connection script with the bank (without authorization, I mean) are those who exploit failures (or sloppiness, so to speak) of the programmer. So, if they can, for example, hack into your server (through a backdoor for example), they will probably have access to any file that is there.
It’s no use trying to cover the sun with a sieve!
A few questions below will signal how someone could access their data through an attack:
Another detail: Although it is only an example the password is "123", this is also a point that you should avoid, because a password like this is to tray access to your system, since it can be easy to hit this password.
Storing in an external configuration file is really the option?
In a reply, one might suggest that it is a good idea to save the password configuration data in an external file. But to be honest, what is the advantage of this?
Suppose you do what they did in that reply from SOEN (save password to a file ini
). If the "Cracker/attacker" has access to the server, it can simply do this in a file:
var_dump(ini_get("mysql.default.password"));
He would discover the password the same way! So what was the point of using an external file to save the password, if at the end of the accounts he would get the password? You can change the way to save the password, but of all were it needs to be returned somewhere. The attacker, who is no fool, will know this.
Some points of the question
I know the php page is not visible to the user, but nowadays, you cannot underestimate the Cracker.
It wasn’t the focus of the question to talk about server hacking, but this is the only way someone can figure out the password that is in the PHP script.
If you know that what is written in a PHP script is not visible to the user (the client, the one using the browser application), then what is your fear?
Don’t worry about it. No one will have access to the content of the script.
If someone gets access to your server’s files is not some ruse to hide the password that will prevent him from discovering it.
– Leandro Godoy Rosa
In fact, you need to outsmart Cracker. Usually it’s not even about "underestimating" them, but rather the sloppiness of the programmer who leaves the application all sambada and insecure.
– Wallace Maxters