In fact, using a DBI proxy living on a different machine is an excellent suggestion: you can restrict the SQL queries the proxy will accept and forward to the real database. That means far more granular control over what can be submitted from the webserver tier: you could f.ex restrict scripts on the webserver to a single, fixed SELECT query or maybe only certain UPDATE queries. Now even if someone cracks the webserver and gains the script's login data, he can't do any more than the script is allowed to. Your restrictions will need some thought to not allow circumvention, of course.

Makeshifts last the longest.