restrict the upload destination(s), then create a .htaccess file for each directory with the following:
You can add to the end a line for allow from <your ip address> if you want to have access from your connection to browse and execute and files in that directory. Alternatively, you can
move_uploaded_file() to a directory above the document root - this way the files are safely out of the public domain.
Or for another alternative, use
chown() to adjust the permissions of the file to deny access.
Then create, or use one of the existing, file browsers for PHP to allow users to see what files have been uploaded.
For your db_config file, keep it above the document root - the include/require function can include a file from anywhere that the php engine has access to, so it doesn't need to be in the public domain.