If you are using the php/mysql code that Dreamweaver uses, you are good to go with Dreamweaver as it santizes the input and helps prevent SQL injection.  **NOTE** This is true for Dreamweaver 8.02 and above.  Older version of Dreamweaver did not prevent sql injection well.  However, if you modify the dreamweaver code, then you have to make sure you are properly sanitizing the input.  The code at the top of each page in regards to magic quotes is the santizer.

In regards to XSS, you have to sanitize the output.  I usually do this: <?php echo htmlentities($row_Recordset1['column_name],ENT_QUOTES);?>  Please see http://php.net/manual/en/function.htmlentities.php so that you get a better understanding of this PHP function.

Some other things you can do is if running on apache look into mod_security to help with sql injection attacks.  You can also look at htmlpurifier http://htmlpurifier.org/ to further help with XSS attacks.

An SSL certificate only helps protect the data that is transmitted between the browser and the server by encrypting that communication.  However, an SSL certificate does NOT protect against SQL injection or XSS.  This is update to the person programming the web pages to do. The person programming needs to sanitize the input coming from users.  Dreamweaver santizes input to help prevent SQL injection.  However, if you allow a user to intput say into a comments section, it your job as a programmer to sanitize what was inputted so that they don't put in javascript that can cause havoc for other users.  TO sanitize user input I usually  add change what dreamweaver puts in as <?php echo $row_Recordset1['column_name'];?> and i change it to <?php echo htmlentities($row_Recordset1['column_name'],ENT_QUOTES);?>.  What this does it is replaced characters with HTML characters.  This way the browser only spits out what it is supposed to.  For example instead of spitting out a quote, it will change the quote to a ' which the browser will convert to a single quote.  This way if someone puts in evil javascript, it won't exectute because the single quote is missing.