I am wondering if anyone has some thoughts on the security of this in a web-application? Storing the private keys in a database connected to one's web-app is just a bad idea right? So than it just becomes a proxy to the Bitcoind installation via JSON-RPC? Would it be considered safe to encrypt user's private keys via their password+hash+salt the same way I'm storing their passwords?
Yep, storing your bitcoins in a plain web app is definitely a bad idea. The current trend in the bitcoin space is a mixture of:
* Discouraging the use of the webapp (if any available) in favor of a browser application (chrome app, firefox app, etc)
* 2 factor auth to login
* Bitcoin "multisig" transactions: require at least N out of M valid private keys (allowing the storage of these keys to be on different devices/services/media) before releasing funds
