I've noticed that Magento stores MySQL connection details in an XML file which isn't secured above the docroot. This seems.... well dangerous.
XML seems like a handy way to store config data, except for one thing, typing in http://www.domain.com.au/library/config.xml will show the world your private details!
I went ahead and used an XMl file and added this to my .htaccess file.
<Files ~ "\.xml$"> // regex files that end with xml extension
Order allow,deny
Deny from all // don't show them
</Files>
Now I was happy with this, now I'm not too sure. What if the .htaccess file is accidentally deleted/corrupted (does that happen besides human error) and what if one day I want to place the app on a non apache server... does every server have the equivalent to block XML files, and if they do, can they be altered on a folder level like the .htaccess can (and not just a httpd.conf file).
My question is... does the convenience of XML (easy to update, designers who need to tinker won't feel so intimidated) outweigh the potential problems (exposing private data)?
