I tend to store passwords in mysql as hashed values (usually md5), and if I am using scripts to connect to the database name that file (for example) connect.inc and add an .htaccess file to stop user download of any files called *.inc. Or store those files outside the web root in the include path. And treat all user data as tainted, and use mysql_real_escape string before entering it into the database. Or set ini values locallyusing ini_set or .htaccess to disabled register_globals etc. There are many security suggestions for php, like anything it is only as secure as the code you write. I do agree with previous suggestions - if you are unsure about all this get someone else to write or audit your code before slinging that stuff into production. It's a complex subject but there are many best practice guidelines you can find by browsing php.net, Googling for it or picking up a good book - PHP Security by O'Reilly being a good choice for starters. By looking at your code and guessing that you are having problems with php 'basics' like variable interpolation and escaping, I would either follow the suggestions, or get hold of Programming PHP and read it and reread it.
-- http://www.web-buddha.co.uk
