Failure to password-protect a database is so careless or naive as to be almost negligent. Databases should always be password protected, but the use of a database connection with an empty password is a clear indication of a database that is not protected.
This rule flags database connections with empty passwords.
<?php
$servername = "localhost";
$username = "AppLogin";
$password = "";
// MySQL
$conn = new mysqli($servername, $username, $password);
// MySQL
$conn = mysqli_connect($servername, $username, $password);
// PDO way
$conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
// Oracle
$conn = oci_connect($username, $password, "//localhost/orcl");
// MS SQL Server
$sqlsrvName = "serverName\sqlexpress";
$sqlsrvConnInfo = array( "Database"=>"myDB", "UID"=>$username, "PWD"=>$password);
$conn = sqlsrv_connect( $sqlsrvName, $sqlsrvConnInfo);
// PosgreSQL
$pgConnInfo = "host=localhost port=5432 dbname=test user=" . $username . " password=" . $password;
$conn = pg_connect($pgConnInfo);
?>