Consider the following in a rogue script when the config file is readable by Apache:
<?php
echo file_get_contents('/path/to/config');
Secure the file to root-only access:
chmod 600 /path/to/config && chown root:root /path/to/config
Now you can use SetEnv without allowing child processes of apache to read the file. During bootstrap, set the DB connection up and then delete the server variables so that something like var_dump($_SERVER)
doesn't show the values.
Limit by IP address to further hinder attack and so long as the attacker doesn't get access via the IP address and know the content of the config file, then you should be OK.