You have to store your API key somewhere, and your site needs to know how to retrieve it.
There are two main issues with storing it directly in the file: 1. As already stated, if someone gets access to your web server or FTP information, they'll have your PayPal API information as well. 2. If your web server ever gets misconfigured and displays the actual PHP code on the browser (not uncommon), your API key will be shown to anyone who views that URL. It might make more sense to store those details in your application's database, which, as also mentioned previously, should not be accessible from anywhere but your web server. Ben -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php