PHP code is on server side, so it is totally hidden from the user; and HTML is on client side, so it is fully opened, as it is fully delivered to the client, once the client can see the page. In both cases, the user cannot modify the content.
You don't need anything to "protect" content. Even though some security vulnerabilities on the server may exist, they are not related to your Web application; your hosting provider is responsible for those issues; and you cannot help it or make it worse.
The malicious artist does not have to act as a user of your site. It's really easy to fabricate any request directly. This request ask to can create a delete some files you never meant to, it can inject some mail header to turn your server host into a zombie sending spam, it can use SQL injection
to screw up your database, and a lot more.
This is a nice example: http://xkcd.com/327/
For other cases, please see my past answers on injection methods:
hi name is not displaying in name?
EROR IN UPATE in com.ExecuteNonQuery();
unable to send mail , it showing the error in below code .
How to learn safe programming? First of all, you need to learn how HTTP and Web work; your question reveals that at this time you have a very vague understanding of it. Everything else is pure logic. If you understand what can come in and what's goes out, you will be able to sanitize all possible HTTP request to limit them only to a legitimate cases. Also note that most of the server-side processing is read-only, so you should focus only on the cases when your server-side code really needs to modify something or produce some side effects, in addition to usual HTTP response.