It is by default in the web root. Only a .htaccess file in "/app" protects it. That is my issue with the default install. I don't know if it is possible to move the xml files outside of the web root or not. I know that at least with WordPress you can move the wp-config.php file outside of the web root.
Since the default location is /app/etc for the config.xml file. With a quick google search I wasn't able to find a way to move the config file. I didn't spend much time on it as I get to go home now. How can XML be more secure than PHP for storing passwords? I just don't see how that could be possible. I realize that if PHP is having issues it can display your stuff, but if that .htaccess file gets renamed the same thing can happen & you wouldn't notice that as easily as seeing PHP is broken for your site. On Wed, May 26, 2010 at 3:36 PM, Michael Torrie <[email protected]> wrote: > On 05/26/2010 03:00 PM, Joe C wrote: >> My only issue with Magento is that the database password is stored in >> a xml file. I say that because you are not careful someone can very >> easily hack into your database. I like storing database connection >> info in *.php files so that it is executed to make it harder to gain >> access to it. > > Given these two choices, the XML file would be more secure any day. I'm > assuming that the XML file is not in the web root and is thus > inaccessible to direct download. > > Putting database passwords in the php file could be okay if the php file > in question is not in the webroot anywhere (and not accessible from a > browser). But putting passwords in php files that are in the webroot is > extremely dangerous. All it takes is a problem that disables php and > suddenly all your passwords are there in plain text in the browser. > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
