As far as I know all of the code in the PowerStore was written in a way to prevent SQL injection and database manipulation like you have noted. It uses the standard DW code for the recordsets which has measures to prevent injection. Also the triggers for the various server behaviors are designed in such a way to prevent external or cross site scripting.
As for encrypting the passwords you can do this in the php code. The idea is that you insert the encrypted version of the password into the db. When the user logs in you take the value from the user and encrypt it when you are comparing it to the value in the db.
When it comes to retrieving the password though you will not be able to directly do so. The best you can do in this case is to send the user an email to the email address they have on file. In here you post a reset password link that has a unique identifier that you store in the db. If the user id matches the record in the db and the identifier is correct then you can just have the user set the new password.
This is kind of a high level overview of the process. There is a Solution Recipe that goes along with Security Assist to help you implement an encrypted password system like this. The Solution Recipe can be found on the Security Assist support page.