[InclinedPlane]

Just reading. This is actually pretty bad. Consider all of the passwords embedded in connection strings and all the other various secrets contained in the source AND configuration files for a standard website. Even if your site uses all open source software, you still don't want J. Random Hacker to have write access to your database, for example.

[DrJokepu]

Maybe the real security problem is embedding passwords and other various secrets in the source code?

[AndrewDucker]

Of course, you database _really_ shouldn't be externally visible...

[jerf]

Well, don't forget about "security-in-depth". Combine "DB password on your website" with "remote unprivileged shell" on any server that can reach the DB, and now you've got a "shell into the DB".

Security exploits aren't just bad for what they directly allow, they are bad for how they often combine well.

(You, AndrewDucker, may already know this; I'm not trying to imply otherwise. I'm saying this because this is a point that needs to be made more often, too many people ignore it. Any unauthorized access into your system needs to be taken very seriously, because of this risk.)