在哪里放我的PHP文件

It's pretty safe. If you have PHP installed, your webserver will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.

Apart from that, you can use .htaccess or other kinds of server configuration to disable viewing of those files.

But.. It must be said though, that if any of these settings are not configured correctly, the webserver may indeed serve the PHP files as plain text files!

So I think it is a good idea to move all php files out of the www folder if they should not be accessed directly. Quite often you'll find only one index.php which handles all requests and includes other php files. PHP files that are not in www (the document root), can still be included, so it's a good safety measure to put these files in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny little configuration error.

After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration a little, or you are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.

So.. It is a good idea to move files out of the www folder. It's usually very easy to do this (although it depends on your application structure), so it's just an extra safety measure that usually won't cost you a dime.

And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.