How do you securely use "mysql_connect()" on a php page? If you put the host, user, and password right there in the page couldn't somebody figure them out pretty easy?
Users do not see the PHP behind a website. You use the code and anything behind that does not appear to the user, but rather only if they view the source of the code on the actual server. I also recommend using something like config.php or of the like to setup a function or something to do all that in case you need to do multiple connections.
PHP outputs html to http file requests so the username/password specified in the php is never seen by web surfers. In order to download the sourcecode they would have to already have your ftp username/password. I have heard of instances where another user who has already has permissions on your server may be able to write a script to gain access, however I have yet to see this actually occur. IMO php is quite safe. If anyone has ever heard of a way to view php source code I would definately want to hear about it as well...
For added security, I always put my database creds in a separate include file and pull it from a directory above the www/ root - (a directory that has doesn't have public access). I liken this to locking my car - it won't deter someone who really wants to break in, but it discourages the easy hit...
Sure, if you're purposely trying to let them view the source. Most webservers will allow you to use a .phps (PHP Source) extension and view the code.
No this is normally not possible. If the webserver is misconfigured it might happen that the php code is displayed to the user. If you are on a shared host and the permissions are not set correctly others might have a look at your code (with shell access)