How can a hacker get my db credentials if I keep them in a php file at the root?
Please check here for discussion http://phpsec.org/projects/guide/3.html
is said that
"...Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes include and require statements much simpler, but it can lead to situations that expose your access credentials.
Remember that everything within document root has a URL associated with it. For example, if document root is /usr/local/apache/htdocs, then a file located at /usr/local/apache/htdocs/i
nc/db.inc has a URL such as http://example.org/inc/db.inc
Combine this with the fact that most web servers will serve .inc files as plaintext, and the risk of exposing your access credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access credentials are particularly sensitive...