A bug or security vulnerability in the server (either Apache or the PHP engine), or your own PHP code, might allow an attacker to obtain access to your code.

服务器（Apache 或 PHP 引擎）或您自己的 PHP 代码中的错误或安全漏洞可能允许攻击者访问您的代码。

For instance if you have a PHP script to allow people to download files, and an attacker can trick this script into download some of your PHP files, then your code can be leaked.

例如，如果您有一个允许人们下载文件的 PHP 脚本，并且攻击者可以欺骗该脚本下载您的某些 PHP 文件，那么您的代码可能会被泄露。

Since it's impossible to eliminate all bugs from the software you're using, if someone reallywants to steal your code, and they have enough resources, there's a reasonable chance they'll be able to.

由于不可能消除您正在使用的软件中的所有错误，如果有人真的想窃取您的代码，并且他们有足够的资源，那么他们很有可能做到。

However, as long as you keep your server up-to-date, someone with casual interest is not able to see the PHP source unless there are some obvious security vulnerabilities in your code.

但是，只要您使服务器保持最新状态，除非您的代码中存在一些明显的安全漏洞，否则有兴趣的人将无法看到 PHP 源代码。

Read the Security section of the PHP manualas a starting point to keeping your code safe.

阅读PHP 手册的安全部分作为保证代码安全的起点。

Noone cand read the file except for those who have access to the file. You must make the code readable (but not writable) by the web server. If the php code handler is running properly you can't read it by requesting by name from the web server.

除了有权访问该文件的人之外，没有人可以读取该文件。您必须使 Web 服务器可读（但不可写）代码。如果 php 代码处理程序运行正常，则无法通过从 Web 服务器按名称请求来读取它。

If someone compromises your server you are at risk. Ensure that the web server can only write to locations it absolutely needs to. There are a few locations under /var which should be properly configured by your distribution. They should not be accessible over the web. /var/www should not be writable, but may contain subdirectories written to by the web server for dynamic content. Code handlers should be disabled for these.

如果有人破坏了您的服务器，您将面临风险。确保 Web 服务器只能写入它绝对需要的位置。/var 下有几个位置应该由您的发行版正确配置。不应通过网络访问它们。/var/www 不应是可写的，但可能包含由 Web 服务器写入的动态内容子目录。应该为这些禁用代码处理程序。

Ensure you don't do anything in your php code which can lead to code injection. The other risk is directory traversal using paths containing .. or begining with /. Apache should already be patched to prevent this when it is handling paths. However, when it runs code, including php, it does not control the paths. Avoid anything that allows the web client to pass a file path.

确保你没有在你的 php 代码中做任何可能导致代码注入的事情。另一个风险是使用包含 .. 或以 / 开头的路径进行目录遍历。Apache 在处理路径时应该已经打过补丁来防止这种情况发生。但是，当它运行代码（包括 php）时，它不控制路径。避免任何允许 Web 客户端传递文件路径的内容。

By using exploits or on badly configured servers it could be possible to download your PHP source. You could however either obfuscate and/or encrypt your code (using Zend Guard, Ioncube or a similar app) if you want to make sure your source will not be readable (to be accurate, obfuscation by itself could be reversed given enough time/resources, but I haven't found an IonCube or Zend Guard decryptor yet...).

通过使用漏洞或在配置不当的服务器上，有可能下载您的 PHP 源代码。但是，如果您想确保您的源代码不可读，您可以混淆和/或加密您的代码（使用 Zend Guard、Ioncube 或类似的应用程序）（准确地说，如果有足够的时间/资源，混淆本身可以被逆转） ，但我还没有找到 IonCube 或 Zend Guard 解密器......）。