The easy solution is to store the config file outside the document root. Then no one but your PHP script will be able to access it. Most of the time the database password is stored in plain text in the PHP script; why are we now worrying about it being stored in plain text in an XML file?

using one way encryption such as MD5/SHA will be of no use as you won't be able to retrive the password again the next time you need it. If you want to maintain server level security then I suggest you use the mcrypt extension to encrypt the password before you store it in the XML file. Of course, you would then need to store the key to encrypt it somewhere; preferably securely. Why not encrypt that too? But then what do you do with the key you used to encrypt the key? See where i am going here?