Web servers don't magically start returning the source code instead of executing the script. Test changes to the config before making them in production, and test your changes in production after making them.

You could add a level of indirectness by making your scripts setuid scripts and removing group-read and other-read permissions. This has the added advantage that your data files need not be readable by the web server account anymore.