After all, why does not the PHP source code appear in the browser?

Nothing is safe if you do not know what you are doing. Almost all of the websites on the internet today are insecure because almost all are made by people who think they can decorate a cake recipes and this is enough to make a website.

Interestingly in desktop systems that do not involve internet security can often be overlooked without major problems. But these people who do not know what they are doing prefer to do to the web, even by not even knowing that the best solution probably is for the same desktop, or mobile. Web should be the last option when the others are not appropriate. That is, it is a sum of errors.

Do not just answer this question to keep you safe. And everyone thinks this is enough and a half dozen and that's all right. Security is a mobile target, it always changes, so you can only make sure you understand a lot of computing.

To answer this question, yes, it is safe if everything is done right. If you do wrong it is not. To do it right involves a lot, but the main thing is to configure the server properly to process PHP pages always and not expose them. But do not think this is enough.

If everything is correct every request to something with .php extension will be delivered to the PHP interpreter who will execute the code on the server and will issue a response to the HTTP server that will send it to the browser. So, unless you do something absurdly wrong, almost impossible, nothing in the PHP code will go to the HTTP server and hence to the client. The PHP code is usually mixed with HTML with PHP, only the HTML part and what the programming code generates in the request is going to go to the browser.

The fact of not going to the browser does not mean that it is safe, only that it will not go there in normal conditions.

And do not rely on random people on the internet. There are some myths in the answers posted here, but most are right.

PHP code runs only on the server. The PHP engine uses your code to generate the HTML code that is sent to the person requesting the page.

In general, it is not possible to determine if an HTML snippet was written as HTML even in the original source code, or if it was generated by some engine (such as an application in Node.js, C #, PHP, etc.). Even in cases where the most commonly used libraries leave their "marks" (such as very specific HTML comments or repeated snippets known by those in the area), it is not possible to reverse engineer and "guess" the PHP source only by HTML that came down.

So unless someone has access to your server's FTP, it's safe to say that they will not be able to see your code just by the generated HTML.

The risks of placing sensitive information in source code are as follows:

• If your code is in a repository such as Github or Bitbucket, whoever has access to the repository may see the sensitive information;

• If someone is inexperienced enough to put sensitive information in code, it would not be surprising if the person made a slide that transformed PHP source code with sensitive information into page text (I've seen it happen more often than I can tell). In this case the problem is not PHP itself, but the developer.

I have little experience with PHP, so feel free to edit and improve this answer.

The reason the PHP source code does not appear is that it is not HTML code, it is run / interpreted by the server and this code produces HTML code.

I even noticed this when trying to make a basic PHP code (Hello World) on an HTML page without a server running behind, and my browser (Chrome in the case) simply commented out the PHP code when opening the page. I was frustrated at the time. But after I browsed, I saw that the PHP code is used by the server, not by the browser , so a testing environment for PHP must have a local server, such as a Tomcat or something similar.

In short: PHP is processed by the server and the browser just receives its results and processes them for viewing. Making the browser run PHP code would be dangerous, in my opinion, as it would open up many security holes.

The Navigator does not have the resources to execute a PHP logic, only Javascript logic.

The browser itself, receives and renders the HTML considering the style defined by CSS. At the same time, it also has the power to interpret JavaScript logic, which is what powers pages.

Who has the power to interpret PHP, is the WEB server. It interprets and triggers the HTTP package with the HTML body (html, css and js).

The browser has a JavaScript engine, which is like the PHP interpreter on the server, but does not run PHP, just JavaScript.

Answering your question, yes, you can put information in your PHP that in theory they can not be displayed to the user in any way.

I say in theory because if the application is not secure or there are bugs you have not seen, some users can do something unexpected and break their logic, generating errors and allowing (maybe) that the information contained in PHP goes to the browser because of the error. But, again, this does not mean that the browser will run the code, it has no 'power' for it.