How do you store your mysql user credentials in a secure way?

Source code to PHP scripts are not visible to people inspecting your source code, so in general DB passwords are fairly secure in PHP, unless there is errors thrown from the file containing the information then there is a chance it will be printed in the error or accessible.

Although this article has a very good explination on storing your passwords outside of the root folder and is roughly the way I do it myself (give or take a few changes depending on how the server is configured):

https://www.binpress.com/tutorial/using-php-with-mysql-the-right-way/17

Example:

The root of my webserver is "/localhost/public_html/" I create a folder lets say for example "/localhost/private/" This location is not accesible to others externally as it does not have url being one level above the root folder.

I place a config.ini at "/localhost/private/config.ini"

The config.ini contains the database login credentials:

[database]
servername = localhost
username = admin
password = password
dbname = db_main

I then create a php function within the root lets say for example at "/localhost/public_html/includes/dbconnect.php"

Contents of dbconnect.php:

<?php
function db_connect() {

        // Define connection as a static variable, to avoid connecting more than once 
    static $connection;

        // Try and connect to the database, if a connection has not been established yet
    if(!isset($connection)) {
             // Load configuration as an array. Use the actual location of your configuration file
        $config = parse_ini_file('../private/config.ini'); 
        $connection = mysqli_connect($config['servername'],$config['username'],$config['password'],$config['dbname']);
    }

        // If connection was not successful, handle the error
    if($connection === false) {
            // Handle error - notify administrator, log to a file, show an error screen, etc.
        return mysqli_connect_error(); 
    }
    return $connection;
}

// Connect to the database
$connection = db_connect();

// Check connection
if ($connection->connect_error) {
    die("Connection failed: " . $connection->connect_error);
}
?> 

As you can see I parse the values of config .ini file into an array $config from the server location "../private/config.ini" which is a location that can only be accessed by the localhost and cant be scoped out via a URL.

Whenever I want to connect to the database I just include the dbconnect.php file that contains the function,

<?php
require_once('./includes/dbconnect.php');
?>

and for queries I call the variable $connection from the dbconnect() function, for example:

<?php 
$sql = "SELECT id, title, stitle, date, section, content FROM articles";
$result = $connection->query($sql);
?>

By doing all this my database login credentials are located outside the scope of the websites root, and if you were to get an SQL or PHP error it will only display the variable names and not the values holding the login credentials.

Hope this helps you work it out (it's pretty confusing and took me a while to get my head around at first) if you need any more help let me know :)