Currently we are storing mysql passwords in the application.ini.
As this file is in our source code control repository (bazaar), it is not a good place for the passwords of the production server.
I was thinking about storing it in an environment variable of the apache configuration.
Is this reasonably safe?
Just make sure that apache config file is not readable by any other user than apache.
But keeping password safe is not main precaution because you can also disallow connecting to your MySQL server from outside or just limit it to certain IP's.
Consider the following in a rogue script when the config file is readable by Apache:
<?php
echo file_get_contents('/path/to/config');
Secure the file to root-only access:
chmod 600 /path/to/config && chown root:root /path/to/config
Now you can use SetEnv without allowing child processes of apache to read the file. During bootstrap, set the DB connection up and then delete the server variables so that something like var_dump($_SERVER) doesn't show the values.
Limit by IP address to further hinder attack and so long as the attacker doesn't get access via the IP address and know the content of the config file, then you should be OK.