What are security implications for storing password vals in variables $password & $confirm_password?

This is a very broad question, and it might be more useful to narrow down exactly what you want to accomplish, however i will try and help by assuming you want to save the value for use during a particular user session:

You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in.

$_SESSION['pass_ok']='1';

On every page you just have to do a session_start() and check if this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.

If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.

• Use SSl (https), it will make hard to sniff the data and get your session id
• Maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
• Set a short session timeout, so that if left idle for a while the session times out automatically.

Saving passwords in a variable to pass on to a database is obviously a big no, as they can be retrieved using nothing but a web browser.

Saving passwords in a variable before you hash and salt it is also not a great idea, as anyone obtaining access to a users session can access the variable and will be able to see the password.

Basically stick to the well established methods of passing on encrypted information.

Even if you follow all best practices and store safely parsed hashes with added salt in a database, someone could still obtain access to the database and use a "rainbow sheet" or run a brute force decrypt algorithm against your data and there will be a small chance they can will be able to work out your users passwords.

There is no 100% save way. But it's always a good idea to stick to best practices.

I hope this helps!

I'm sure there are others here who are much more versed in security issues than I am, but here's my opinion, to start the conversation.

As long as by "storing in variables" you mean while a program is being executed on a server, I can't see much of any security risk. Further, how would you go about checking a user-supplied username password pair without storing them in variables? What we are warned about is inadvertently taking in unwanted stuff via query strings, text boxes, etc., so I always check any user-supplied data before using it, and stuff entered into user name and password text fields is as user-supplied as any other.

If you mean storing them in variables to pass on to a database for storage, then, yes, but it's the database that's the problem, not the PHP program doing the storing. Here there's a big issue, as md5, SHA-1, etc., some of the common encryption algorithms supported by mySQL and other DBMSs, are very easy to break.