While everyone else is adding the way they do it ... I'll add mine. I don't store the password absolutely anywhere. The database I use allows (mandates) OS authentication for the database. So I can have the user that apache is running under authorised for the database, and then I don't have any password to give.

This has some drawbacks, but I'm not sure that for web apps that it's any worse than other solutions - sure, a co-hosted CGI app may be able to connect to the db as well, but then a co-hosted CGI could also grab the password from wherever I put it (encrypted or not). At least because I don't have a password to steal, no one can use the database other than as a co-hosted CGI app. (And, of course, there are no CGI apps co-hosted on any of my servers that aren't written by me or someone I trust.)

PS - the web user only has as much authority as is needed, definitely not the authority to grant authority to other users.