You've asked a really big question that doesn't have a hard-and-fast answer. Generally speaking, pages users request in a browser must be in your public_html directory.
PHP has the capability to reference files anywhere on your server if the permissions on those files are accessible to the apache user. I've variously seen this user as 'nobody', 'apache', and 'www-data'. This means you can safely put some files (e.g., Paypal API or the paypal security cert) outside of your public_html directory so that no one can access them directly and your PHP application can still use them. On the other hand, if your php application has any security holes or becomes compromised, this presents a risk because the malicious user might snoop or write any file that's readable/writable by the apache user.
As a general rule of thumb, try to put any files containing passwords or secret data OUTSIDE of the public/html directory. If PHP is running correctly on your server, then someone requesting this file would just see a blank page:
<?
define('MY_SECRET_PASSWORD', 'pleasedonottellanyone');
?>
However, if PHP is not installed properly or someone manages to reboot your webserver with php support turned off, then the source code will be visible. If you put this file outside the public_html directory, then it will be much more difficult to access via http.
As a beginner, it is much more likely that you will mishandle user input somehow and that might permit a malicious user to do some sql injection or set important variables you have not initialized properly because register_globals is turned on. You might try reading this:
http://www.php.net/manual/en/security.php
