I've come to think about the question wether it's possible to disassemble a program to retrieve the credentials it's using to connect to a database, or perhaps intercept the program upon runtime and manipulate the (SQL) query (not talking about SQL-injection).
Perhaps it's an ridiculous idea, but I need to know if the program that my customers recieve should use an account that only has access (and rights, i.e read-only) to specific tables.
It's definitely not a ridiculous idea - there are many tools to disassemble a program into source-code. In the .NET world you have Reflector and ILSpy for example, and most languages have something equivalent.
If a username or password appears in plain-text in the source code, then it is trivially easy to obtain it with dissassembly tools. If it appears encrypted, but the encryption algorithm and key are part of your source code, then it is merely quite easy to obtain it.
To resolve this, in the .NET world you can store an encrypted password in the config file.
Alternatively, you can configure the database to use domain authentication, in which the user's domain account is transparently used for access, not a hard-coded username/password.
Finally, you should always use the Principle of Least Privilege wherever possible - only allow a user permission to perform the smallest subset of actions that is required.