I have a server running a Debian os, and I have a multitude of .php scripts located in the default apache public directory. This is definitely not the most secure way to do this, but I have a script that will execute whatever $_REQUEST["sql"] says onto mysql database. You can only query this if you have the correct password, which is compared in plain text in the script.
My question is could an attacker somehow view this script and find the password, then execute sql statements at will?
Is it possible? Sure it is, if your server is hacked, which is a real possibility. That being said, it's actually pretty normal to include credentials in PHP files (ex. Wordpress), even if it's not the most secure way possible.
What you are talking about, however, is an unnecessary security risk. In terms of authentication, you should use a one-way hash on the password so that if the PHP files are compromised, an attacker will still not be able to use them. Check out the password_hash(..) function.
Furthermore, you should never be executing SQL statements sent directly by the user. If you are going to be performing administrative tasks, use either Adminer or PhpMyAdmin. SQL statements should be generated server-side using prepared statements to escape user-input information.