If your webserver is configured to handle PHP files correctly, then outside users cannot view your PHP scripts' contents (unless you have a security hole elsewhere).
A security practice many probably use is that they just create a small PHP file with their login details, like so:
<?PHP
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
?>
And call it... mysql.php or something of the like, and place it OUTSIDE their web directory. If you had a Unix host, it might be something like /home/myUsername/public_html/ or /home/myUsername/www/ or something similar. They would then place the file in /home/myUsername/mysql.php, etc. and include them in their scripts, like so:
<?php
include('/home/myUsername/mysql.php'); // define MySQL login variables
// Connect to server and select database.
mysql_connect($host, $username, $password);
If you're worried about other people that host websites on the same server, then it's up to the server owner to make sure security is set properly and whatnot (permissions, PHP's Safe Mode, etc.).
