In his articles here Ray says that:
"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed. Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."
Let's say I have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
//here the php code
CHANGE YOUR PASSWORD
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />