Good Programming in PHP
|Pixy||Free||stand-alone script|| While it may seem slightly outdated (its homepage advertises PHP4 support),
Pixy does a great job at finding Cross-Site Scripting and SQL/Code-injection vulnerabilities.
|RATS||Free||stand-alone script|| RATS targets various languages and has specific detection rules for each.
In the case of PHP, it targets calls to some library functions.