Database security - PHP code

From: Dariusz (ng_at_lycaus.plusYOUR***.com)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 14:54:24 GMT

I have been reading a little that you should secure your PHP code to
prevent SQL injection into a database (MySQL in my instance), mainly by
checking the type of data to be put into a database, and if text, to
addslashes() the data.

What I have not managed to find out, is does SQL injection threaten the
input of data into a database, ie a guestbook, or the reading of a database
where the user would not know if the data is being read from a database?

Is there anything else to consider to make a database more secure?

In particular, I have read here a few months back that it's a good idea to
keep the username / password of the connection outside the root of the
website. How would I access the password file then? What I mean is, if I
want a certain file in my site I could access it by writing:

www.mysite.com/password.php

But as it would now be outsite the root, how would I be able to get to the
password.php file?

I have also read a bit that you can assign privelages (similar I guess to
rwe for a directory / file) but to the database access, but can't find
anything about it. Is there a good (beginners) guide to privelages?

Any just incase, I did RTFM, but there are many versions which make it
confusing on who is right.

Thanks

Dariusz