If your server is php enabled it should not matter where you have the connection file as the source will not be available to whomever browses to it. If you want to check that your directories are secured like you expect them to be you should put some sample pages in them then try to access them from the browser. You should be able to determine if the files are freely available or if they are protected.
If this is file system style security then they should not be accessible, if this is secured with the inclusion of some code at the top of the pages then the directories themselves are not secured, just the pages with the code on them.
