I've dealt with this situation before and have come up with the following ideas:

1. Lock down the database - create views that only allow access to the required data. the user should have select only on the specific areas required (and create session.. ;-) )
2. Passwords may be stored in a 0400 file readable only be the user that executes the script _or_ embed the password in the script, either way if the user is hacked the password can be gained. I personally prefer to embed the passwd in the script as it doesnt make an extra IO. (as always there are pro's and con's)
3. Lock down the machine, make sure the security on the server (users, host.deny|allow et al) are all up to date.
4. Lock down the server ie, make sure no directories are visible, and make sure you've got the latest patches.
5. Consider SSL, better send sensitive data over the wire encrypted than plain.
6. Consider seperating you DB from you WS, on a private network, and having only essential machines access it.
7. Consider a vpn between the DB and the WS.

Also consider obfu'ing you pwd against a casual observer, a simple xor against $0 might do the trick, not immediately obvious, just dont change the name of the script.. ;-)

HTH, and good luck!