storing sensitive values in a secure location

I know this is probably a really simpleton question so apologies but I'm trying to learn new things.

I'm playing around with API calls and a tutorial I'm reading is a开发者_开发问答dvising that for sensitive info like passwords, username etc I should be "storing these values in a secure location other than your web server document root and setting the file permissions so that only the system user that executes your ecommerce application can access it."

That all sounds like a spiffing idea, but I'm not completely sure how to go about it. Do I have a php file with for example define('PASSWORD', 'xxxxxx'); etc in it and then call that from somewhere? If so how and where should I put it?

I know you're probably wondering why I'm playing around with an API if I don't know how to do that and indeed it is a strange route that I've come down to find myself here, yet here I am, and that is what I don't know.

any help would be most gratefully received :) Julia

Edit: by the way assume I know nothing - because I really do know very little ;)

What they mean is, it's ok to put your user/pass in a file that gets included in your app, but that file should be some place other than where your index.php is. For example, given the directory structure:

/home/alex/site/public/
/home/alex/site/lib/
/home/alex/site/data/

In the public dir, I'd put my index.php, my CSS, my JS, and images. And that's it. The meat of the PHP app would go into the lib dir, and be referenced by the PHP include_path. Extra files like configs might go into the data dir. Then, your vhost document_root points to the public dir. So, a user hitting http://alex.com/index.php gets the right file, but since the data and lib dirs are up a level from the document_root, nobody can grab http://alex.com/data/secret.txt.