I am sorry if this is a dumb question but if I didn't ask I wouldn't know.
I don't really understand how cURL works, can it read the unparsed php code from a php file? If so, what is to stop some hacker from reading the script that connects to my data-base and stealing the login info?
Thanks.
No—PHP code is always parsed by the server whenever any kind of request is made. So if you use cURL to download a PHP file from the web, you will get its parsed HTML output.
No, it cannot. All cURL does is access an URL just like you would access it using a browser. If you can read the PHP source with a browser, so can cURL, if not, then not.
For an HTTP request, no. However, if you have FTP access and sufficient permissions to the server on which the PHP file is stored, you can use cURL to connect via FTP and download the unexecuted PHP source code much like you would connect with any other FTP client. I don't remember offhand if it supports SFTP or FTPS, but it likely does.
Through HTTP, cURL should only be able to read one or the other, so it's safe to say that if you don't see php in your browser, cURL won't either.
However, if for some reason Apache has a very broken configuration, it will just echo the contents of the source file (php). There are also ways to intentionally configure Apache to return either the rendered page or the php source, but both could not be served on the same address.
So in general, the answer to your question is no.