I set up my directory structure like this.
/lib #contains modules
/config #config information differing prod from dev
This stucture makes it easy to move from dev to test to production enviroments by setting up enviroment specific files in config. The sensitive information in /lib and /config are also in the same level as the website root so it is not accessable from the webserver (i.e. the webserver does not even know about them),but you can access them by relative paths in your scripts. The more information you keep inaccessable the better. There is no need for a vistor to be able to know anything about database structure, what DBI driver you are using, or if you mistakingly rolled your own query string parser :).
Then the fun part is to get your server locked down so that they can not get to see those files by other means.
grep> cd pub|
grep> more beer