'An additional "static salt" does not help unless the attacker has the password database but not the "static salt" which is also not very likely.'
I don't really know why do you think that this is unlikely to happen. Think about an SQL injection attack, which reveals the users table, but leaves the PHP code / INI config / etc. untouched. Regards, Ádám
