On 05/26/2010 03:00 PM, Joe C wrote: > My only issue with Magento is that the database password is stored in > a xml file. I say that because you are not careful someone can very > easily hack into your database. I like storing database connection > info in *.php files so that it is executed to make it harder to gain > access to it.
Given these two choices, the XML file would be more secure any day. I'm assuming that the XML file is not in the web root and is thus inaccessible to direct download. Putting database passwords in the php file could be okay if the php file in question is not in the webroot anywhere (and not accessible from a browser). But putting passwords in php files that are in the webroot is extremely dangerous. All it takes is a problem that disables php and suddenly all your passwords are there in plain text in the browser. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
