I know that the question How do I secure my database connection credentials? has been asked and answered multiple times (e.g. How to secure database passwords in PHP?).

A commonly accepted answer to that question is to store the details outside of the web root. But I’m curious as to why this really makes much difference.

From what I understand, a person cannot download the source of the PHP file via HTTP (unless your web sever is not configured properly, but you would know about that right away). So you won’t be able to see the credentials unless you have access to the source of the PHP file anyways. Correct me if I’m wrong, but doesn’t this basically mean that you would need shell access? And if you have shell access, can’t you just get to the file outside the web root anyways?

If the answer to that question is that the include file might have special permissions that don’t allow anyone but the web server user to read it, then (considering that I have shell access), couldn’t I just write (or modify) any PHP file to just echo out those credentials?

So the question is, does it really make any difference whether you store the credentials directly in the PHP script vs. in a file outside the web root?