I almost don't want to reply because I think you're heading for trouble if you do this route. But as you're so determined to do so...
(Please forgive me, DBA lords!)
One way is to use shell variables to determine the username/password that you'll use to connect to the database. That way, you don't hardcore it in a script (please tell me even you are aware that that's an AWFUL idea) AND if anyone's on the box and does a 'ps -ef | grep sqlplus' your password isn't in cleartext.
Some people store these values in a profile, but that's an obvious place to look. Others have a specific '.var' file which is hidden and only oracle (and root) can see which you call in the script to populate your variables. Neither way is ideal and leaves yourself wide open, as we've said before, to a major security hole.