Putting database userIDs and passwords in a separate module is an excellent idea. I recently did an on-line survey for a client in a sub-directory under my main domain. After about 5000 people had been through the survey, it finally occurred to me to check that no one could get the file listing of the directory (and therefore all of the CGIs) by chopping off 'survey.cgi' from the URL.

Yep, they sure could -- there was no index.html. But (!) because the userID and passwords were in a module in a different directory, there was no major security breach. I quickly added an index.html that does an immediate re-direct: another solution would have been to change the permissions on the directory (execute only) but the re-direct was the solution that I was able to implement the fastest.

Embarrassed? Oh yeah. Very. That's why I'm posting anonymously.