I’ve noticed that Magento stores MySQL connection details in an XML file which isn’t secured above the docroot. This seems…. well dangerous.
XML seems like a handy way to store config data, except for one thing, typing in http://www.domain.com.au/library/config.xml will show the world your private details!
I went ahead and used an XMl file and added this to my .htaccess file.
<Files ~ '\.xml$'> // regex files that end with xml extension Order allow,deny Deny from all // don't show them </Files> Now I was happy with this, now I’m not too sure. What if the .htaccess file is accidentally deleted/corrupted (does that happen besides human error) and what if one day I want to place the app on a non apache server… does every server have the equivalent to block XML files, and if they do, can they be altered on a folder level like the .htaccess can (and not just a httpd.conf file).
My question is… does the convenience of XML (easy to update, designers who need to tinker won’t feel so intimidated) outweigh the potential problems (exposing private data)?
I’d personally only store config file information in a format thats not in a directly accessible format or location. So I’d either use the XML format above the docroot or use the PHP $config[‘varname’] = ‘value’ format. The later method would just render a blank white page if called directly (so long as it’s all PHP and contains no HTML and doesn’t echo out).
Gallery, vBulletin, and Joomla all use the second method I mentioned. I know I’ve mentioned those projects before in other PHP related questions, but it seems to be a method that’s widely used and accepted between projects.