On 05/26/2010 03:30 PM, Stuart Jansen wrote:
On Wed, 2010-05-26 at 15:00 -0600, Joe C wrote:My only issue with Magento is that the database password is stored in a xml file. I say that because you are not careful someone can very easily hack into your database. I like storing database connection info in *.php files so that it is executed to make it harder to gain access to it.I don't like leaving my car keys in a magnetic container in the wheel well because if you're not careful someone might notice you putting them there. I prefer to put the down the tailpipe because you can get it hot enough to burn anyone who tries to steal the car.
OK, the first part (not leaving car keys with your car) I agree with from a security standpoint. The part about the tailpipe is just plain ridiculous.
If someone wants to add security to their website, don't mock because php is not more secure, and possibly less so than an xml file, but educate them about it.
Having said that, php and xml are no more or less secure than each other; the implementation, location, and other security factors are the difference. Is the xml file available to anyone looking for it? is there access controls in place to prevent that, and even better, put the config outside the document root if at all possible? Is the php security solely based on it being an executable? if there is a bug and or misconfiguration that makes php readable rather than executable, does it completely compromise your setup?
Remember, security is a multi-layer approach; no one solution will actually secure anything for long. Put it outside the document root, make it unreadable, use acls (ie .htaccess), setup the db to only allow updates to what that script specifically needs, etc, etc, etc.
-Steve
smime.p7s
Description: S/MIME Cryptographic Signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
