Regarding the safety: what mario and PiranhaGeorge said (it depends on the location, the locatiion shouldn't be accessible by a browser)
Regarding the use of config files: keep in mind that you absolutely need a few informations first, before you can access more complex storage facilities. For example you need to have db access parameters or decrypt informations for crypted files.
There are a few settings that have to be known at the start of the application and can't (easily) be changed during the runtime. Another example other than db access parameter could be include paths to plugin directories.
These informations have to be changeable without starting the application first.
Ideally you want a format that is easily understandable by both the machine (for example the PHP interpreter) and the admin. The machine needs to spend as little time as possible in loading the configuration, the admin needs a way to change the application parameters in a simple way (think SSH and vi or other bash editors on a smart phone, if there is an emergency), for example if there is a need to switch between production and testing databases.