Many unix editors (don't know about windows) automatically save backup files with a tilde following the file's name - like config.php~ .

On my server, these files don't show up in directory listings (yes I know, you shouldn't allow directory listings), however, if you do type in the exact url of the file, it's displayed as source.

Just a bit of advice for the super-lazy-or-hasty php people: make sure you configure your server, ftp client, editor, or whatever, to prevent this from happening - it's so easy to think, OK, this script is done, let's go ftp up that directory now, when it's still full of backup files. I haven't read of any exploits ocurring using this method, but then again, I haven't seen warnings on the php sites about backup files either.