Thanks for all the help. Sorry I didn't do much searching beforehand.

My main focus, I should have said, is the less clueful user. I'm trying to create a script which anyone can drop in quickly and use with minimal setup.

And this is presumably the reason why MT did it that way? What happens if you use the DBD approach mentioned above, but you can't trust your users to know how to set permissions correctly? Is their approach a bit kludgey, but justifiable in the context of security for people who don't understand security?

I'm still not sure how the bad guys could get my username and password if I have it in a regular CGI script and don't use CGI::Carp or anything which would give out error specifics to a browser.