It was hard for me to understand this matter, so I'd like to share a piece of my experience :

 * What is the **protected** field? It's **nothing more** than a field, that can't be accessed outside a class, i.e. *publically* like this: `$classInstance->field`. And the trick that it's "this is it". Your class' childrens will have a **full** access to it, because it's their rightful internal part.
 * What is the **private** field? It's a "**true private**" for your very own class **and** your very own implementation of this class. "Keep out of reach of the children", just like on a medicine's bottle. You will have a guarantee that it's unoverridable by your class' derivatives, your methods - when called - will have **exact** what you've declared

UPDATE: a practical example by a real task I've solved. Here it is : you have a token, like USB or LPT(that was my case), and you have a middleware. The token asks you for a pincode, opens up if it's correct and you can send encrypted part and a number of key to decipher. The keys are stored in token, you can not read them, only use them. And there were *temporary* keys for a session, signed by a key in a token, but stored in a middleware itself. The temp key were not supposed to leak eveywhere outside, just to exist on a driver level. And I used a **private** fields to store this temporary key and some hardware-connection-related data. So no derivatives were able to use not just a public interface, but also some **protected** "handy" subroutines I've made for a task, but were unable to open a strongbox with the keys and HW interaction. Makes sense?