When it is on online database, everyone will be able to get the password/username of it, when you are sending it. Thus everyone can modify/delete your database.
A good example was Super Meatboy, which did directly connect and was hacked because of this.
Who to hell send name/pw via url or http header? that would be real stupid application design. As I read about your security concerns I thought about security leaks in mysql itself.