Use .ini file to save DB connection data?

It is not a question of good practice or bad practice, it is a matter of knowing how you are doing, for example in laravel the main bank password is in .env (this file is basically a .ini format only uses one custom extension):

• link

But the folder where the data is stored is not available via HTTP (access via site url), because the addresses are pointed to inside the folder ./public

Of course there are programmers (pseudo-programmers) who do not understand the logic of the laravel folder structure and put everything inside public_html or www in hosting and create .htaccess without having much understanding about it, which can sometimes end up allowing access to .env via URL http://site/.env

Now you know what you're doing, that your .ini will be isolated in a place that only scripts and administrator will be able to access so there would be no problem at all.

Of course you can also choose to create a .php with define , for example:

You have a file named config.php with this content:

<?php
define('DB_HOST', '12*.***.***');
define('DB_USER', 'foo');
define('DB_PASS', 'bar');
define('DB_MAIN', 'banco');

So it should be included in all major scripts with:

<?php

require_once 'config.php';

...

In mysql I would use something like (just an approximate example):

 $link = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_MAIN);

PDO (just an approximate example):

 $dbh = new PDO('mysql:host=' + DB_HOST + ';dbname=' + DB_MAIN, DB_USER, DB_PASS);

So if the user accesses via URL http://site/config.php it will be visible only one blank page.

One important thing to do is to always shut down the errors in the output and keep only in the log, sitting in php.ini:

 display_errors=off

This is because some debuggers, such as Laravel and other frameworks can display parts of the code, in fact it is a bad mistake to bind the debuggers in production (on your hosting server), debuggers should be used only in secure environments, such as in your machine.