Imagine the following PHP file:
<?php
$topSecret = "Something important";
?>
If I put this on a server running the standard LAMP setup, how could someone could find out $topSecret?
If the variable is not echoed, is it vulnerable? A real application of this might be database credentials stored in the web root of a server.
If PHP were to fail somhow, then the page would be displayed as a plaint text file. That has happened before; it once happened to Facebook. To protect against this you should store all sensitive variables (passwords, etc) in a php file which is not in the web root. You could store it in the parent folder (if you have access to it) or in a subfolder which is protected by apache (deny all).
Under normal circumstances, it would not be possible to view that.
But errors in configuration, or exploits in code could make it possible to view the contents of the files.
Normally, one would place such information outside of the webroot, to decrease the chance such a thing happens.