eelixduppy - 9:00 pm on Mar 8, 2010 (gmt 0)
It is generally the case that if a password needs to be included in the script that it be stored ABOVE the web root directory meaning that it cannot be accessed publicly. This is usually the case when it comes to MySQL usernames and passwords. Also, when using a hard-coded password note that anyone who has access to the code also has access to the credentials that you are hiding from the outside world, so it is best to set up a user (if we're talking about databases) that has only very limited privileges, just to do what they need to do and nothing more. On most dynamic websites this is UPDATE and SELECT and rarely anything more.