There is no perfectly safe choice, but some are better than others.
Don't save sensitive information in your project's source code -- you don't want your passwords and API keys on github.
Saving sensitive information in a database is fine, but then you still need somewhere to store the database credentials, and you're right back where you started.
You can save sensitive information in environment variables. These would usually be set up in your web server's configuration file(s).
Saving sensitive information in an ini file is fine, provided the following:
- The file has the minimal permissions required.
- The file is completely outside the web server's document root and thus can't ever be served directly. Don't put the file in your main directory and then use .htaccess to deny access to it.
- The file is not committed to source control. If you're using git, edit your .gitignore so that the file is ignored.
These should also go without saying:
- The user account running the web server process should never have write permission to the files it's serving.
- Other non-privileged users on the machine running the web server process should not have read access to the files it's serving.