When you're accessing a script through the web the server's webserver handles the POST and GET requests to the script... if everything's set up properly the script will execute and the webserver will forward the script's output to the client's browser. In this situation $sreaon will not be exposed to the web client so long as the script itself does not output it; the server leaves everything to the CGI, and it's up to the CGI to determine what gets output or not.

However, the kicker here is "everything properly set up." If the webserver doesn't recognize your script as a CGI (i.e., if the permissions are set incorrectly) then a POST or GET request for your script will output the source of your script to the browser instead of the executed script's output. In addition, if there's some other CGI on your server that allows webusers to view scripts without executing them you could be exposed that way, too. (There used to be, for example, a script installed in old Apache distributions that could be abused to "echo" arbitrary sourcecode to a browser window.)

And of course your source could be read using methods other than the web server. If the server handles other services (FTP, Telnet, SSH, etc.) someone could potentially access your source and secret variable that way, too. It gets very complicated very quickly... how much effort you go to to protect your information depends on your paranoia level and the value of your data.