db.php for example will not show anything unless you echo it.
db.inc is treated as a plain text and is viewable.
db.inc.php on the other hand is still a php file and is not viewable.
There are programs out there that 'cache' an entire website which would include one's php code. I just haven't researched intotwhat these programs are, how they work and hwo to prevent them from doing thier work.
What I ahve gatehred so far is they act like a spider, but there's no point in finding thier 'ROBOT' name to exclude it from your site as they have the option to 'disguise' themselves as something else such as a GoogleBot. In fact they don't even need to pay attention to a ROBOTS.txt file.
There are a few tutorials on preventing site caching and tightening php security, so my first suggestion would eb to consult Google
I believe you can secure passwords for db, etc by putting the file/s into a folder, something like your 'inc' folder then use Apache's htaccess to secure it.