It sounds like you want to use an include file to store your SQL statement. You can just assign the SQL statment to a variable as a string in the include file. As in:

[PHP]$sql = "SELECT col_1, col_2, col_3 FROM filename WHERE id=3";[/PHP]
If security is the major concern, you should place the include files outside the Web tree. In other words, above the root directory for your site. Most servers have a tmp directory or something similar that you can use to store these types of files. The important part is that it should not be part of the Web site tree and therefore will not be accessible to others.

To call the include file, just fully specify the path to the file as in:

[PHP]require_once '/home/mysite/tmp/sql01.php';[/PHP]
If you do not know the server path to a directory outside of the Web tree, just ask your Webmaster or hosting company.