in reply to Retrieval of script values
However, the kicker here is "everything properly set up." If the webserver doesn't recognize your script as a CGI (i.e., if the permissions are set incorrectly) then a POST or GET request for your script will output the source of your script to the browser instead of the executed script's output. In addition, if there's some other CGI on your server that allows webusers to view scripts without executing them you could be exposed that way, too. (There used to be, for example, a script installed in old Apache distributions that could be abused to "echo" arbitrary sourcecode to a browser window.)
And of course your source could be read using methods other than the web server. If the server handles other services (FTP, Telnet, SSH, etc.) someone could potentially access your source and secret variable that way, too. It gets very complicated very quickly... how much effort you go to to protect your information depends on your paranoia level and the value of your data.