Good Programming in PHP

Tools

Pixy Free stand-alone script While it may seem slightly outdated (its homepage advertises PHP4 support),
Pixy does a great job at finding Cross-Site Scripting and SQL/Code-injection vulnerabilities.
RATS Free stand-alone script RATS targets various languages and has specific detection rules for each.
In the case of PHP, it targets calls to some library functions.

Further Reading