1.2.513. Hardcoded Passwords¶
Hardcoded passwords in the code.
Hardcoding passwords is a bad idea. Not only it make the code difficult to change, but it is an information leak. It is better to hide this kind of information out of the code.
<?php
$ftp_server = '300.1.2.3'; // yes, this doesn't exists, it's an example
$conn_id = ftp_connect($ftp_server);
// login with username and password
$login_result = ftp_login($conn_id, 'login', 'password');
?>
Name |
Default |
Type |
Description |
passwordsKeys |
password_keys.json |
data |
List of array index and property names that shall be checked for potential secret key storages. |
See also 10 GitHub Security Best Practices and Git How-To: Remove Your Password from a Repository.
1.2.513.1. Suggestions¶
Remove all passwords from the code. Also, check for history if you are using a VCS.
1.2.513.2. Specs¶
Short name |
Functions/HardcodedPasswords |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
Very high |
Features |
password, hard-coded |
ClearPHP |
|
Available in |