You may have to explain a bit more where you are headed with this concept.
You mean you want to store the value in a variable within an instance of a class? Or do you want to write and store the value when you develop the class?

I'd like to avoid having my passwords in plain text when I assign them to a class...

Creating username/password class...

<?php
class vars {
private function set($name,$value) {$this->$name = $value;}
private function give_me($name){return $this->$name;}
}

if (//arguement) {$thepassword = "my_password";}

$vars = new vars();
$vars->set('password',$thepassword);
?>

Class Username/Password usage...

$username = $vars->give_me('username');
$password = $vars->give_me('password');
$hostname = "localhost";
$dbh = mysql_connect($hostname, $username, $password) or exit();

In the class file if I use my password it would be stored in plain text right now since I wouldn't know how to encrypt or use a hash if that is at all possible?

- John

The problem you are going to have in this particular instance is that the connection to your database is still going to be whatever value is in the string, so it really won't do you any good to have it encrypted -- it is still a string value. What you would need to do is encrypt the password and compare it to the encrypted value and if that matched, then use the non-encrypted value. Does that make sense? It can seem confusing so if it is I can show you an example and we can go from there.

Another issue you may have is that you will be storing the decrypting salt in your code.

Presumably if someone can get your DB they can get the code that decrypts.

Is there a reason you want to encrypt them?

Would a double encryption work? I vaguely comprehend how having an already encrypted password may make breaking in to the database easier....so is there a way to encrypt the already encrypted password to add to the complexity of a potential hacker from breaking in?

The whole reason behind this question is that a web friend showed me some vulnerability on his server where he could see all the serverside code for other clients on a shared server though thankfully it does not work on my live server.

- John

I've seen this myself ... it's not proper set up. Session data and other information are also often freely available to anybody with an account on that system. Move to a new host, or tell your friend to at least.

Regarding open text passwords versus encrypted ... think about it this way ... if you have developed code or an application that requires you to connect to a database you are going to need to establish a connection. That connection is going to use a value that you pass to it. If you have that value in your class as either plain text or an "encrypted" password, it is still available to anybody that has access to view your class, as is the case on your friend's server. Example ...

class myClass 
{ 
 var $myPassword = 'plaintext'; 
 // or the "encrypted" version: 
 var $myPassword = 'B0A1EEF0C2C3GGF1D4B0A1EEF0C2C3GG'; 
} 
$dbh = mysql_connect($hostname, $username, $password) or exit();

Either way, the text value is used to connect.

So essentially in regards to protecting passwords I should be more concerned about detecting vulnerabilities on any given server? If so how?

- John

I think that is the better use of your energy.

Like it has been said if they can get that class they can get the decrypt method as well. Anyway you look at it if someone gets at your back end code/DB you have issues and encrypted passwords won't matter cause they are already in.

How to do this is greatly dependent on what OS/DB/PHP/Apache versions you are using.

There are lots of help guides out there if you do a search. If you have someone hosting for you tell them you want to have the server audited. It might cast a couple bucks but it would be a good thing.

If you are hosting you might want to look at getting a third party security company to audit your server for you. They will give you a list of suggestions for tightening things up. You can even get your code audited which isn't a bad thing.