SQL username and passwords inside PHP file shouldn't be a problem, because the source is not uploaded. Only the output of the script. So, if the script doesn't print the username and password, there is no problem.
Hiawatha can help you preventing access to those files. You can do that via the UrlToolkit:
ToolkitID = protect_files
Match ^/path/to/file.txt DenyAccess
Match ^/path/to/directory/ DenyAccess
UseToolkit = protect_files
But this should only be seen as a work around for badly designed websites.