Oh my fucking god... I am looking at this code written by a previous developer and he put the passwords in plain in an array in a PHP file, like WHAT WHERE YOU THINKING? (btw that's also how he checks the password, just check whether it's in the array)

c'mon pls

So you're saying anyone can login with password "password" or "1234".

@spongessuck no what I'm saying is this is what he did

$passwords=array('thepassword');
if(in_array(strtolower(@$_POST['password']), $passwords)) {
//yay logged in
}

Then you open wp-config.php in a WordPress directory. Never understood why all the MySQL login credentials are just sitting there in plain text.

@stackodev wait how do you store your DB password in PHP? Do you save like an encrypted version or smth?

@liammartens see https://codex.wordpress.org/Editing...

@stackodev All I see is them defining the password :P what I wanted to ask is like when you have to connect to a database how do you store your password in the code?

@liammartens I'm not that advanced as a PHP dev yet. Most of my work with WP has been managing ecommerce and blogs and content using ready-made plugins. wp-config.php "just works" as far as persisting the DB credentials from my view. Sitting down over the next several days to jack into the Matrix and learn the answers to the kinds of questions you're asking.

@stackodev ah okay okay :P well to be fair, you can't really do anything apart from storing your db creds plain in your code somewhere. Only thing you could do is put an encrypted one but then again you'd need the decryption key as well so not much sense there

@liammartens the new thing is to store credentials in environment variables. That way, even if someone stole your source, the creds would be safe (unless they knew exactly what to look for)

And lesson learned from this rant and comments:
Any password saved in plaintext in your code is wrong. If you laughed at this rant and still have any system password or api secret key in your code, joke is on you.

@franga2000 right good point

So I was checking the code for an API someone else made and the login web service literally recieves a GET request with the username and password.

Holy cow.

@cahva shouldn't it be fine as long as the password is outside of the public directory? Or so I've heard at least (FYI this was in public directory)

@liammartens more important is not to add your passwords to the version control. If attacker gets to read your conf files using public url you're fucked already at that point.