I was thinking about something...

Okay, listen up: Everyone hopefully already puts their mysql password in a include file and includes that instead of just using it in their mysql connect statement. That way if php crashes and your php source is displayed, no one will see your password. Right?

Well, if your php crashes and people see your source, they will just see the name of the include file, and would be able to connect to your database using that include file...even if they dont actually know your password.

Isn't this still a security threat?