"The only solution I see to this is pre-commit syntax checking for committed PHP files."<p>How would that have helped here? The file was obviously still valid syntactically. Try it for yourself: create a PHP file that looks like<p><pre><code> i?php
$config_data = array();
</code></pre>
and run it through PHP's syntax check (<i>php -l /path/to/file</i> from the command line). It will verify that the script is valid. However, the content will still not be parsed as PHP.<p>One way to fix this is to store your configuration data in another file format (eg: YAML) outside of the document root. Since the configuration file doesn't try to be parsed as PHP, it can't be leaked in this way.
I'm far from being a PHP expert, but wouldn't writing critical password/data in a file instead of directly in the source code, avoided that issue? I mean, we would have seen the code to read the file.. and not the pass?
Does the person not use syntax highlighting? A missing <?php tag would cause the PHP code to be highlighted as HTML code which would look very strange to anyone who has edited a PHP file with a syntax-highlighting-enabled editor.