$password= '*****' is this safe?

may i ask if it is ok to create a $password variable with my real password as the string? it seems like mysql_real_escape_string() won't work because this function only works after the connection is made, but i've also read that php code is not actually viewable by a user...

I always wondered this myself,

But im not sure so you could just encrypt it anyway, there are functions in PHP that do this.

Find the encrypted value of your password string and do $encrypted_password = '**********';

Then, do a check against md5($entered_password) == $encrypted_password. This way, if someone gains FTP access, or another user on your server, won't know what your password is.

I'm not sure if we're talking about the same thing. I THINK you might be referring to a form where a user logs in with a password, whereas I am trying to write a script which takes $_POST data and enters it into an INSERT query using the username and password in mysql_connect().

$hostname="blah.blah.net";
$username="blahblahjunior";
$password="blahblahblah";
$dbname="blahbase";
$usertable="blahusers";

$con = mysql_connect($hostname,$username, $password);

i.e. is the $password string in the php file used to connect to the database ever visible/hackable by an outside user.

p.s. yer cute

Ah, you're right. I was referring to a password being entered in a form. In such a case, entering the password in plain text is the only alternative I know of, since md5() and sha1() are both one-way encryption algorithms.

my bad ambiguous post to start with. thx...

I asked the same question several months ago.

Here's the thread:
http://www.daniweb.com/techtalkforums/thread48057.html

Users of Mozilla and Firefox may want to right click and select "Open in new Tab" especially if they're browsing with tabs now.