My choice has always been in a subdirectory of root. To satisfy security requirements I use the .php extension so even though the files are exposed to the browser, they are still run on the server when directly queried. The subdir provides a clean organization and an easy deployment with tools like DreamWeaver. Jim