It doesn't really matter if anyone gets your IP. It's easy to get IP. What you should really be worrying about is passwords, especially if they are encrypted, not hashed. I'm not an expert on the matter, but I'd really recommend hashing the passwords, not encrypting them with a key that can be seen in the code. What if someone you didn't trust got access to your server and code and decrypted the password files with the key? When they are hashed, it's harder for script kitties to get at them because it's not as simple as running the string_decrypt function on the file contents.
Edit: See this: https://nakedsecurity.sophos.com/2013/1 … ds-safely/
Edit 2: Ivan, why are you directly accessing user passwords in the first place? If someone forgets their password, have something automated to change it. When you forget your twitter password, a twitter representative doesn't decrypt your password and send it to you in an e-mail.