Background: I'm developing a PHP/MySQL app where each account has its own MySQL database (an account would be for a company with multiple users, not 1 db for each user). A central 'users' database stores all accounts and users and points the incoming user login to their correct account db. One feature of the app is that users can upload and store files on my server.

Ok, I've got two concerns...
1) I'm storing user upload files 1 level above the web-root. This is mainly to protect user's data. I'm filtering the uploads and only allowing acceptable data types (.pdf, etc.... no executables). My question here is: are there any concerns with users uploading malicious files? What could happen?

2) My other concern is that I have a php file located above the web-root that contains the username and password for the 'user' db and all of the account content dbs. Even though the passwords are located outside of the web-root, I'm concerned about every account's individual database having the same username and password located in a single file. Is this a valid concern?

Thanks for you help.