If possible, put the mySQL connection details in one file only, and place that file somewhere above the level of the web root. This means the file will be completely inaccessible to anyone browsing over the web. Of course, if they knew your FTP login details, they could still access it (and everything else).
It's a good practice to put
all your back-end files above the web root (PHP scripts, etc.). Only front-end stuff (HTML, CSS, javascript, images...) belongs at (or below) the level of the web root. Of course, your HTML documents may contain small amounts of PHP, and that's fine.
You then use includes to...er, include this file in your pages. To make this work, you need to know the full directory path on the server. For example, it might be something like: /home/yoursite/bin/mySQLconnect.php (if you placed the connection file in the bin directory).
Better yet, make a database object. You can then keep all the code for connecting to the database encapsulated in (and private to) this object, so that when you want to connect to the database, you just write something like this:
$db->connect();
This is the approach used by PHP frameworks (of course, the database object lives in a file above the web root).
You can also encrypt the database password. I'm a bit shaky on the theory here, but a simple method is to generate an
md5 hash of your password. Instead of storing the raw password in your file, you store the hash. In your database connection function/method, you decode the hash.
Let's say your password was "my-weak-password". In PHP, for example, you would generate a hash by running md5("my-weak-password"). You then take the output (say, "f13jhvg0be8r32lfdgu9") and store it as your password ($db-password). In your connection function/method, instead of supplying the argument "$db-password", you supply the argument "base64_decode($db-password)".
You can make this encryption much more secure by adding a
salt.