Its been mostly covered, most shard hosts will allowyou to setup an htaccess protected directory, what is the site managment app (Plesk, Cpanl, ect?) ? Stopeing sql injection isn't that hard so its ratehr disturbing that so much shows up online in PHP apps, first you need to take imput in as a var, adn the nbefore that is pushed into sql the submit.php should od so validation. if you can't get the canned scripts to work you will need to make your own. This isn't too difficult as you must know what the input can and can't be (length, charicter types, ect.). then escape the input to clean up whats left (some thing like mysql_escape_string(), or in a last resorte addslashes() ).

For the love of god don't store your db connection info in a plane txt file, it will be found and read.

This site is very good for looking into PHP security http://phpsec.org/projects/guide/3.html the link is their sql injection guide. beyond that remember security through obscurity isn' secure, i don't care if you didn't link the directory some one will find it (you are on a shared server, some one else may have been exploited and granted a shell, PHP file upload exploits are netorious for this and then your "hidden" directory is hosed)

Hey if you are still at it in may pick up a copy of SAMS Teach yYour Self PHP Security. I am hopeing to have it out in time for RSA.