Yes, this is common. Most web apps and web sites do something like this. WordPress, for example, uses a single username and password to access the database. It's fine.
WordPress keeps its secrets (passwords and some other things) in a file called /wp-config.php. A properly configured web server won't allow a site visitor to see that file directly. It should be set up to always run, and never display, php files when a user asks for those files in a URL. Instead, other parts of the web app include or require it in their code, to get the secrets. WordPress has a good description of this file in their docs.
If you want slightly tighter security though, I suggest creating four usernames/passwords for your database, and for backups. (Some people use a separate username for backups.)
- reporting: This user has only read privileges to your tables, and is used when your web app (or associated utilities) must generate reports or information displays from your data.
- general use: This user has read privileges and limited write privileges. For example, this user might be able to read the
user table and both read and write the loginlog, posts, and comments tables. This one is used for most routine web app operations.
- admin. This user has read and write privileges to all, or almost all tables. The web app uses this user when doing things like creating or deleting users, changing passwords, or performing billing operations.
- super. This user's password is never stored in the web app, but rather is used by an administrator to maintain the database. This is the only user that can create, drop, and truncate tables, create and drop views, stored functions, and other database objects. Keeping this user's password off your web server means that a miscreant can't get to it even if they succeed at pwning your web app.
Then, the user names and passwords of your web app's users will be their own, and not a database access user/password.
