Is storing config variables in an XML file on a PHP site under the site root too risky?

Question

I've noticed that Magento stores MySQL connection details in an XML file which isn't secured above the docroot. This seems.... well dangerous.

XML seems like a handy way to store config data, except for one thing, typing in http://www.domain.com.au/library/config.xml will show the world your private details!

I went ahead and used an XMl file and added this to my .htaccess file.

<Files ~ "\.xml$"> // regex files that end with xml extension
Order allow,deny 
Deny from all // don't show them
</Files>

Now I was happy with this, now I'm not too sure. What if the .htaccess file is accidentally deleted/corrupted (does that happen besides human error) and what if one day I want to place the app on a non apache server... does every server have the equivalent to block XML files, and if they do, can they be altered on a folder level like the .htaccess can (and not just a httpd.conf file).

My question is... does the convenience of XML (easy to update, designers who need to tinker won't feel so intimidated) outweigh the potential problems (exposing private data)?

Answer 1

Short answer, no it is not. But a better question would be. If it is not stored in a config file where would you keep it?

Answer 2

I'd personally only store config file information in a format thats not in a directly accessible format or location. So I'd either use the XML format above the docroot or use the PHP $config['varname'] = 'value' format. The later method would just render a blank white page if called directly (so long as it's all PHP and contains no HTML and doesn't echo out).

Gallery, vBulletin, and Joomla all use the second method I mentioned. I know I've mentioned those projects before in other PHP related questions, but it seems to be a method that's widely used and accepted between projects.

Answer 3

I entirely agree with inventix on this but also offer a 3rd option which should be combined with either

name the file storing config info

.htanything.whatever

as server wide all files starting .ht are unreadable by external users {this is why htaccess is always .htaccess}

personaly i only store config files includes and function libraryies outside of the document root, but understand that some connot thus always use the .htnaming convention on them also incase the $includesfolder has to be moved within the document-tree by someone using the software on such a server