In one php file, dbConnect.php, the creator of the program starts off with using mysql_connect() to connect to MySQL with a user ID and password before the User's Login ID is even tried. Is this necessary? Is this how it has to be? I mean, he puts a Login_ID and Password directly into the php code of this program. The Password happens to also be the Administrator's password to MySQL. This somehow doesn't seem right to me. This was done back in 2009 by the then developer.
Having MySQL credentials hardcoded somewhere is necessary for the app to be able to connect to the database. Each app should have its own MySQL account. You should never use the root account for anything other than DBA type work. Certainly no web app should ever use it.
Yes, I would recommend that you create a MySQL user with only the privileges that the application needs and connect from PHP using that. Never use root.