That's better, but still not safe. The PHP script, encoded or not, still offers the decrypt functionality simply because that's what you programmed it to do.
All the hacker has to do is come up with the correct parameters to send to your script, and he can analyse that from how your site behaves. If he's lucky you're using GET parameters and session files, which he can simply read in the tmp dir and the webserver logs.
Remember, if a hacker is in your database, he most likely also in your system and he can see what PHP does to the other files, like session data etc.
The final point being that if you can decrypt data using your PHP scripts, so can others if they get their hands on the script and the data.
Instead of spending your time worrying about people decrypting your data once they are inside your server, you should spend some time preventing people from getting into your server in the first place. :-)
A forum, a FAQ, what else do you need?
