When I first got into web developement I thought it was CRAZY that those config files had the password in them. Then I saw it was like that in every CMS and script on the market. The directory that has "the file that shall not be named" should have a .htaccess file in it that has "deny from all".. this will prevent anyone outside the server from accessing it. Now if someone can find a file on the server that has a security flaw that allows it to display the content of another see more file you are in trouble. I believe that is how phpbb.com was hacked about 8 months ago, they were using a mailing list program that someone figured out would display the content of another file on the server. The person used it to view the database config file. I could be mistaken but that is what a brief article I read about the incident said.