I want to know what is the best practice or what is recommended to do when a variables are created for MySQL credentials/host.

    define('HOST', 'localhost');
    // etc..
   mysql_connect(HOST, // etc...

vs

    $host = 'localhost';
    // etc..
   mysql_connect($host, // etc...

For both you can easily check what are the declared variables or constants and maybe can find what are the value easily. I have code that multiple users can share and use.

What is the best way to protect these variables?

Here's few solutions

1) You give each user a user and password and each user has their permissions in the database (only select, or insert ect..). So in your code you simply include a db.config.php so all the variables are set. It does not really matter if the user echo the variables since they use their own.

2) you can give a common username/pass for the database and then encode the file (either using custom encoding, zend optimizer or ioncube and unset the variables. Here's a sample code:

// file mysql_connect.php

$link = mysql_connect("localhost", "mysql_user", "mysql_password")
    or die("cannot connect to database : " . mysql_error());

// then this file is encoded so nobody can view it.

3) At some point, someone, somehow will be able to find this information. I would simply recommend to trust your user (assuming these are developers)

At some point in your code you will have to hardcode this kind of information, the important thing is to keep it in only one place to promote maintanability. However, as you are worried about security I suggest you to check this: Convert PHP file to binary