Everyone has their own take on whart securioty methods to use.
For all my apps, each SERVER_NAME is given a config file which contains the DB_USER/DB_PASS and databases to use.
The DB_USER/PASS is put into the mysql database users table acordingly and then that user is given access to the database from LOCALHOST only.
Thus, that user/pass combo can only connect to database X from the localhost and never remotely.
That's about as good security as you can get on the actual database access to the PHP client side.
For better data protection, all passwords and credit card info stored within the database are encrypted with 256-bit AES grade encryption (do NOT use DES, it is hacked for fun)... that way even if someone did force access to the MySQL databse, they would not easily get at the sensitive data contained within.
To protect against attacks on PHP, I turn off the expose_php settings in my php.ini and also recommend turning of show_mysql in your mysql server config.
All my PHP classes are kept well outside the HTTP $DOC_ROOT so that they may never be accessed from an HTTP request, and in addition, all configuration settings are stored in seperate .ini files that are kept in a very safe place.
For better script security, all data being sent via GET or POST is cslashed to escape any funky characters such as "|" or "`" that may be used to exploit my services before the rest of my objects load.
So there you have it, just a few pointers on how to better prepare yourself and set up a slick production website that wont come back to haunt you.
