My current hosting company cannot allow me to place any content above the server root. So i have no way to protect those config.php files from those evil people. I know a way to stop them being accessed by browsers (fake 404 messages) but it's very easy to get pass that.
do you guys know any other way to protect files from users but allow php scripts to access them?
If your hoster allows the use of .htaccess files you could add a file called .htaccess into the desired directory with the content:
deny from all
So nobody can acces the files in this directory (but your php interpreter should still be able to).