Security
To assure privacy of your data, you may take three different approaches:
Use .htaccess to prevent access to a data directory
This approach consist in making a directory, eg. db, and putting all your data files there, along with a file called .htaccess (yes, its name starts with a dot), with these two lines inside:
order deny,allow deny from all
That's it, no one can see them now (but your scripts can!), even if he guesses their name (and the name of the directory).
In case you'd like to learn more about .htaccess files, you may want to read this excellent article by Bryan E. Sampieri.
Place data outside <public_html> directory
Since browser cannot display files that are located outside the <public_html> directory, you may place your data files there and that's it again. Obviously, your scripts will still be able to read and write these files.
If your directory outside <public_html> directory is named eg. db, you need to add /.. to be able to reach it; probably the best idea would be to do it in ptb_ini.php file:
define('PTB_PATH_DB', '/../db');
Use security string in your database's header
If no one knows names of your files, he doesn't know how to display them in the browser, right? (names of your files obviously are written in your PHP scripts, but what the user sees are only xHTML pages–because you do use xHTML, don't you?–with no variable names). Let's suppose though, that (a) the malicious user guessed the name and location of your files, or (b) that you were lazy enough not to prevent directory listing, or (c) there was an error and the error message was displayed, showing names of your database files–what now? well, really nothing :-) provided that you followed two simple security rules:
- always use .php extension for your database files (or make your server process them as if they were .php)
- always use security string
What is this security string, anyway? It's simply one line:
<?php die('Access denied!');?>
placed in the beginning of your database file. With .php extension your files will be parsed by PHP, which means that the only thing an attacker would see is Access denied! message.
So to sum it up–yes, I believe you can treat your data as relatively safe. Of course you should consider additional security measures, eg. do not keep passwords in plaintext in your files (but that's another story).