Hello Massyn,
I'm not trying to be funny here but when you say:

Even if you manage to get onto the web server, you should not be able to get the username and password off any text file on the server -- that's what I'm trying to achieve.

Have you considered what's in the /var/lib/mysql/mysql/ directory? (Of course your path may be different). Taking a peek at user.ISD will give you usernames and passwords, albeit the password is encrypted, but that for a wily cracker wouldn't present too much of a problem if they where smart enough to get past your firewall and gain entry to your server.

Again, I'm not trying to be a smarty pants its just so you take that into consideration if you hadn't known or thought about it yet. :)