It does not matter where the credential file lives -- as long as it is only readable by you. DreamHost runs PHP using suexec CGI by default (unless you turned off "Run PHP as CGI"), so your scripts runs in the same user as the owner of the script, i.e. you, thus it can read owner-readable PHP files inside your site.
To change the file to be only readable by the owner, get into shell and do,
~$ chmod 600 mysecrets.php