Quote Originally Posted by sneakyimp View Post
I hope by FTP access you mean SFTP (or more precisely SSH File Transfer Protocol) as old-fashioned FTP is not encrypted in transit. If someone is able to upload their own PHP source code to your server (or execute arbitrary PHP code as apache somehow), then injecting sensitive credentials as ENV variable provides no security advantage over storing them in a PHP file. If, on the other hand, someone were somehow able to read all of your PHP but not change anything, they probably would not be able to discover the contents of environment variables on your server.
If someone has FTP access to my server, they have root access. How do I know? First and foremost, only ssh port and web port are open. Second, I don't even have an ftp daemon installed. And thirdly, the ssh port is only open when my automated system needs to connect (basically, it hits the firewall service to open the port, connects to run commands, then closes the port back down). If someone gets into my system, they did some magical stuff, and I don't think it matters at that point how I store credentials haha.

Quote Originally Posted by sneakyimp View Post
One example that comes to mind is when an apache adjustment or upgrade breaks your PHP installation and suddenly all of your PHP source code is visible to the entire world. I.e., every PHP file is not parsed as code but rather any visitor to the site will just see the PHP source code. It's been a long time, but this has in fact happened to me. Theoretical security is one thing, but in reality things break in funny ways and sometimes your access is not complete. SQL injection vulnerabilities, for example, don't compromise any of your own system, but attackers can sometimes siphon off your entire user table. The term defense in depth comes to mind. It's a bit like designing a warplane. It's all well and good to make a plane with a gun and bombs, but the A-10 warthog has all kinds of redundancy and armor and is intentionally designed so that it degrades gracefully when damaged. The Death Star, on the other hand, suffers a catastrophic failure once you get a torpedo or two into the exhaust port -- which is as big as a womp rat.
All modifications are done through automation, and first tested on a staging server. I happen to be one of those people who is highly paranoid. It takes me 5-10min to open a shell to my production servers, but the benefit is - ssh isn't even available when I'm not on it.