Nobody can see your code because Apache (or whatever web server you use) is instructed to EXECUTE any .php files rather than simply serve (display) them as it does by default (with .html, .css, .js, etc).
I think what you may have heard of is a general security concern using PHP in general – If you are using a shared host (where other users also use the same server as you) they will generally be able to view your code programmatically, that is to say they can write a PHP script which lists your PHP scripts — this does require that they know the physical directory your scripts are stored in, but again they could write a PHP script to try and discover this.
Generally speaking this isn’t an issue, but if I’m doing anything of a sensitive nature (such as taking card payments) I always ensure I’m working in an environment only I have programmatical access to (ie. a virtual server or a dedicated server — By virtual server I mean a virtual machine to which I have dedicated exclusive access, do not confuse this with “Virtual Hosts” which are shared servers).
5
solved Can you see PHP scripts client side?