I have a simple question: are php scripts in pages really hidden and unobtainable? If I have information in a php script that I don't want anyone to see, is there any way they can get it? Basically, the security system for my site revolves around user information stored in a comment in a php script. If there was a way that someone could get ahold of the script, my system would be crippled.

Is there anyway that someone viewing my site externally could get the file and view the scripts?

Your php code will generally be hidden from people viewing your pages as it is parsed by the php engine on your server before it is handed off to the browser. If someone views the source of your page for example they won't see your php code.

Nothing is completely unobtainable though. If someone really wants to get and see your file and is skilled enough they can find a way. There really isn't anything that's 100% secure.

I'm not sure why you would store critical user information in a comment though. Since it's a comment it's not needed at all or used in any by the script so I'm not sure how your security system can revolve around it. If it's there just so you or someone else can remember it there are probably better place to keep the information.

Well he could be using fwrite and so on, but basically all security measures are detterants and the goal is not to make something unnattainable (which is impossible) but to confound someones attempts so that the effort required far outweighed the rewards.

One way to understand security is to keep this in mind;
you can see it, therefore it can be seen,
if you can do it, then at least in some way it can be done.

Inn spite of all this though php code is very secure when on a php sever. Just make sure to always use and extension that will be parsed by the php server. For example .php, or .inc.php versus .inc.

Thanks for all your help, that answered my question.

And to answer yours, I do use fread and parse the info that is stored in a comment. We don't have anything too secure, and our users aren't too gifted with computers, so I really don't think I have anything to worry about.