I would keep them below the DocumentRoot for starters. Message #17 has a nice tip ;)

Good PHP solutions to small problems [webmasterworld.com]

Thanks for the tip. Actually I am trying to prevent them from including my files and finding out sensitive information.

If you keep the documents with sensitive information below your DocumentRoot (or public area of your directory structure), they can't be remotely included.

That means that if I store these files in, for example, http://www.example.com/includes/config.php they cannot be included remotely?

Actually, what it means is that you store the files on your server in a directory not accessibly via the web, such as:

/home/privatefiles

and you keep your web pages in:

/home/www

and you include the files with:

include('/home/privatefiles/config.php');

This way your private files aren't accessible to anyone that isn't on the local machine. Hope this helps.

Similar discussions:

Performance and Multiple Include User Functions [webmasterworld.com]
Best practice in placing db connection file/folder [webmasterworld.com]
MySQL queries spanning multiple tables with different keys [webmasterworld.com] message #7 has some very good links

Thank you all for these useful threads. Personally I keep all sensitive files above www root. What I'm trying to acomplish is to create simple installation script which will install MySQL tables and write data to config files. Problem is that many users don't have access to folders above their www root. I also noticed that many popular packages, like PHPNuke and PHPMyAdmin, keep thair config files in public folders.