Storing your password outside of your html root is a good start. Remember to configure your dbserver to only accept connections with that username/password from the webservers IP as well, it's not perfect protection, but at least an attacker somehow getting the username/password combo would need to attack the database server from that host. Also remember to give the account as few permissions as possible on the DB. Don't give the user delete or alter permissions on any table not absolutly neccesary, and definately don't give it drop or create permissions.
daN.