How is the Propel xml file with the database connection password and username supposed to be secured when you put it on a webserver?
-<connection><dsn>mysql:host=localhost;dbname=test</dsn><user>root</user><password/></connection>
If i put it in the main directory anybody who knows the path can access this xml file or?
Is there a simple and effective solution?
thank your for advice
You can go two ways to not have those security issues.
1) Do not store the .xml file on the webserver.
Propel has a command config:convert-xml which converts your xml file into a php file - which can't read from http clients.
config
config:convert-xml Transform the XML configuration to PHP code leveraging the ServiceContainer
So just store the xml file in your VCS repo, but delete it on your webserver and generate a php config which you then include in your main index.php.
or
2) Change the entry point of your website.
If you have structure like this:
.
├── composer.json
├── generated-classes/
├── generated-conf/
│ └── config.php
├── src/
│ ├── buildtime-conf.xml
│ ├── runtime-conf.xml
│ └── schema.xml
├── vendor/
│ ├── autoload.php
│ ├── ...
└── web/
└── index.php
And for example point your Apache to ./web/ instead of ./ then it's not possible to access all other files then in the ./web/ folder. Of course in your index.php are then include statements with /../:
include __DIR__ . '/../vendor/autoload.php';