Hi!

I'm no programmer, but it would seem that Bot.conf/Mysql.conf is a potential security risk for people who run the bot on their webspace.

By default, the bot is accessible through the Web in these cases (and some of the posts in the help forum seem to show that some people actually use a web browser to start the bot!), and since .conf is not a recognized PHP extension, it will display as text, showing your AO login info and MySql info.

Maybe I just don't get it, but I seem to remember from the little PHP I learned in school that you always use the .php extension to avoid this problem.

Cheers,
H

Hell no, it shouldn't! But it would be an extremely easy fix, and I did see people in the support forum post code that showed they did run it in their webspace

It's not a problem as long as you run the bot as intended. 

Well, that's not totally true. But the security risks are known.

Besides, anyone who has php sockets enabled on their web server has bigger security issues than a .conf file with their AO or MySQL username/password in public web space.

I like the latter idea.
Could be as easy as checking for certain $_SERVER vars being set.
Imo implement it and prevent people from abusing a web server as bot host.