some ideas...

From the web as cgi, you can prevent the code from being seen via web configuration, i.e. only allow the script to be executed (no directory views, use an .extension that has forced execution).

from command-line, it won't be so easy.

in either solution, put the connect info into a separate file and read it into the script at runtime.

If the script(s) need only READ from the database, then be sure to use a userid that is restricted from doing writes to the database, and use views to protect table columns that are not to be accessed.