If you have PHP installed, then obviously you’re going to run PHP code. Some of that code might be written by third-party developers and some of it you might write yourself. Either way, you should learn about secure coding practices for PHP. Doing so can help you write better code and help you audit third-party code for potential problems.
To help you write your own secure PHP code, I went looking for resources and found several decent Web sites that provide writing support and some tools that look for coding vulnerabilities. The sites at the URLs below are a big help, so take some time to study them carefully.
Secure Programming in PHP http://www.cgisecurity.com/lib/php-secure-coding.html
PHP—Secure coding http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding
Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-Specific Issues, 10.8 PHP (this pertains to Windows also) http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html
PHP Security Consortium’s PHP Security Guide http://phpsec.org/projects/guide/
PHP Input Filter (Developer Shed’s Network, PHP Scripts) http://www.scripts.com/php-scripts/security-scripts/php-input-filter/
SecurePHP Wiki http://www.securephpwiki.com/index.php/Main_Page
PHP Top 5 (security problems extracted from SANS Top 20 list) http://www.owasp.org/index.php/PHP_Top_5
Top 10 ways to crash PHP http://ilia.ws/archives/5_Top_10_ways_to_crash_PHP.html
Chorizo! Web Application Security Scanner http://chorizo-scanner.com/
PHP Security Scanner http://securityscanner.lostfiles.de/