Ok first a few minor errors in your code, but since it is just an example that does not really matter.
Exploitation of your code is not possible when the page is streamed out, because the periods and other PHP command codes you insert in your page are not streamed out to the client machine.
From your example
- <?php
-
-
$test = $_POST['test'];
-
-
echo 'You wrote '.$test.'!';
-
-
?>
the streamed out page would not include any of the php code
ie: echo, the single quotes, ., or even the variable $test.
The only thing the user would see and have access to would be
You wrote something where something is the content of the variable $test.
To exploit your page the hacker would have to inject some code into one of your input fields.
It may be helpful for you to read this
link
PHP code is not exposed to the user like javaScript. So you have no concern here.