+\begin{result}
+ The database credentials are hard-coded in \code{config.php}. While it
+ would be better to pass secrets as environment variables, this is not
+ really bad practice.
+
+ However, the installation instructions state the following:
+ \begin{verbatim}
+Change the file permissions to allow all users write access to the
+folder you extracted TestCMS to.
+ \end{verbatim}
+ This implies making the configuration file readable for all users on the
+ system. This information should not be accessible for any user other than
+ running the \PHP{} script.
+\end{result}