I might be missing something here, but... maybe you should differentiate the two functions that are currently served by the password: (1) validating the person posting the request vs. (2) logging into the database. If your DB status report includes stuff that you don't want to make public (and/or you don't want the public pinging your DB at will), then do something for validation -- whatever's workable and adequate -- that does not involve sending the login password.

Put the actual DB login password in the code itself -- actually, in a module or "require" file that's readable when the script executes under the web server, but is not directly under $webhome.

Warning: I haven't researched this idea to figure out how vulnerable it might be (if anyone has facts or data on this, I'd love to hear it), but it seems safer than having ( $user_validation eq $rootlogin ) going through sniffable switches, even granting that it's only "DB root" that we're talking about here (I hope that's all you're talking about).