Visibility of scripts on HTTP server

If I have a http server with various HTML pages and various PHP (or other) scripts开发者_运维问答, then If I try to view the code (as in Chrome's View source tool) then the PHP code is not shown, which is just as well. I want to know how secure from prying eyes is the code? Would a password hardcoded into the script be safe?

The only time your PHP code could become exposed is if the script somehow becomes treated as "not-PHP" and gets served up as raw text. If your server configuration is correct, then the code is 'safe' from web-based leakage.

That being said, it is best to put critical information that should remain private (usersnames/passwords, config variables, database DSNs, etc...) in a separate file that's kept OUTSIDE of the site's document root. That way, even if PHP becomes corrupted/disabled on the server, all a user would see is

<?php
   include('critical_data_here.php');
?>

and not

<?php
$username = 'root';
$password = 'password';
$lotto_ticket_worth_50million = 'under the left couch cushion at 221B Baker Street';
?>

It's never 100% safe to keep passwords, especially on your server.
If you have to keep passwords in script - keep them in files, which placed not in public directory (can not be accessed by user in browser).

<?php
$password = "password";
?>

is save until you've got PHP module loaded.

<span>$password = "password";</span>

is not secure and will not work