I'm still using DW CS3, not 4 - haven't upgraded yet.
The entire site is dynamic, including the menu items. The client can actually build menu items and add content to those menu items through her admin area.
I'm not sure I understand this statement:
One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.
Are you talking about when I set up the connection through Dreamweaver?