Hi. As other poster pointed out, when you don't control the hardware you have to trust those who control it, meaning: your hosting provider, and their server provider, their datacenter provider, and any other outsourced service provider (most of the time they are not the same company).
First, regarding your PHP code: you can use encoding products like Zend Guard, IonCube or Nu-Coder (I think those are the only ones that convert the PHP code to direct bytecodes so they are the most secure) or you can compile the PHP code to C using HipHop or PHC, or you can write the core code (not all) of your software in C and compile it as a PHP extension so any PHP code is useless without it. But even then, any skilled reverse-engineering person can recover some code by converting the bytecodes or the compiled machine code to some higher level language.
So, what to do (regarding your code access):
1) Use an encoder. Use IonCube (for example) with encoding+obfuscation+optimization so your source code is difficult to recover in a meaningful way (hey, if they want it, make them work really hard for it).
2) Rewrite the core functions (or the "secret sauce" of your application) in a compiled PHP extension (in C, with full optimizations), so the more important part of the code is not easily visible.
3) Compile the PHP code to C with PHC (the PHP Compiler) or HipHop for PHP. (Even if not all your PHP code but only the "secret" parts).
4) Host a part of your application (some core functions) as a remote service in hardware under your control, so, even if your application is compromised, the code is useless without the remote service.
Just remember, encoders make recovering the *original* source code impossible, but anybody can still regenerate the source code: it won't look like the original, but will work like it, and so your algorithms cannot be kept secret this way (also any data embedded in the code, like passwords, will be recoverable).
Now, regarding your database: you cannot be 100% sure nobody will watch or touch your data. Any person with hardware access can bypass your security, even whole disk encryption (because they can just replace the boot loader with a custom one to log the password you enter while booting, and that is really easy). And they don't have to be unethical people, depending where the datacenter is located, they can just be forced to do it in behalf of the government, even if your business is in another country. (You may have a legal operation but if one of your users is suspect for something...)
That's why cloud and SaaS providers cannot give 100% assurances about data privacy and confidentiality. They can just promise to do their best to protect the data from external and internal mishandling.
So, what to do (regarding the data access)? You have few options:
1) Host your application yourself. If this is a project for your company/organization/school, user your own server in your own facility in your own building with your own people. The problem with this is now you have to trust your own people, infrastructure, government, etc.
2) Look for a trustworthy datacenter provider with SAS70, PCI DDS and any other related certifications, in a country with strong privacy laws. For example, you don't want to host your application in the closet of a home-based hosting company in Sudan, but you may be interested in a server with a Switzerland-based SAS70-certified datacenter provider.
3) Redefine your needs and then forget about the 100% secrecy requirement of your project.
Just remember, your hosting company probably don't own the hardware, they may be the third or fourth layer, a reseller for a bigger company, which don't own the hardware either, they rent the space in a datacenter, and the datacenter provider may not be the owner but a reseller too for a biggest datacenter provider. So, when you trust your provider, you have to trust their providers, and their provider's providers.
Hope this helps.
My experience looking for ways to provide secure SaaS applications.