Dolphin 7.0.9 Vulnerable to hackers?

Dear community,

Are there any statistics on how frequently dolphin gets hacked? How secure is it from hackers trying to get your database login name and password or admin login data?

Im asking this because:

1) For security reasons shouldnt certain sensitive data be stored outside of the document root?

2) Should I disable file upload to nullify the chance of a override of my htacces file?

3) In which folder are the sounds, videos etc stored?

Please I need some advice there.

Regards form Switzerland

Dolphin has vulnerabilities in older versions; being up-to-date is important.  BoonEx announces all patches and waits a few months before disclosing new vulnerabilities, so people have enough time to patch their sites.  But most of the "hacked" (this isn't the correct use of the word) sites are from outdated installs and compromised servers (e.g., FTP account, cPanel account, etc.)  So I would argue Dolphin is in the same boat as most other scripts.

In short, keep up-to-date, have strong passwords (and don't give them out carelessly!) and correct permissions for all files and directories.  Also have active and updated antivirus installed on your PCs and/or Macintoshes.

But where does all the media uploaded land to? such as the products for the store or sounds
I have set the permissions as instructed by the install and probably all folders as I can see are set to 755. Although the root folder which I called html is set to 777 I hope this is ok. 

By the way, is is possible to set the data size of files uploaded such as music, videos, pictures and avatars? Forexample setting the maximum filesize for music 2 megabyte.

No method from Dolphin (except for some source mods I'd have to look up again).  Dolphin uses the PHP values for uploads, so whatever is set for PHP is what Dolphin will use.  For example, if upload_max_filesize and post_max_size are 5M, Dolphin will only allow uploading files which are 5 MB or lower in size.

You can edit the upload file for each module and add a line of code to set a new limit (as long as it isn't more than what PHP has been set to allow).  I need to look into it, because it's been a while since I've done it.