You could put the username and password (possibly with a login-function too, that returns the db-handle) in a module that you put somewhere where it can not be accessed via the web server. Just like you should do with the passwords for .htaccess. In that case it will not be viewable even if the server decides to show the source instead of executing the scripts.

I also assume that you have made sure that only localhost can read/write the tables, so noone can connect from the outside either way. That is the mysql default, so it should be fine if you didn't do any changes. Given that, people can not access your data even with the username and password without doing it from your server.

I'm sure there is more, but something like that should be a reasonable start at least. :)

---

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.