Via this pointer on php|architect's site today, there's a review of their php|architect's Guide to PHP Security today over on UnixReview.com.

The author doesn't leave any stone unturned. He deals with the distinctly menacing sounding daemonized attack scripts, the pros and cons of encryption, running PHP in safe mode, and problems you may encounter when using open source applications. I particularly liked the suggestion of setting up a sandbox and tracking suspicious activity using an SQLite database. This allows for easy analysis of data and keeps the sandbox separate from your main database.

The last chapter, "Securing your Applications", is a good summary of all the security issues and is very useful as a checklist for auditing existing applications. This chapter also includes some common-sense suggestions.

An appendix of resources would have been a nice addition to this book. But all in all, this book gives a very thorough treatment of PHP security. However, by showing how to thwart attacks, it indirectly shows how to make them. Perhaps this book should only be sold to a white list of trusted buyers so that "Dr. Evil" can never get his hands on a copy.

I think that you always run that risk with any kind of security-oriented book with no real way around it. If you hide the facts from the reader, the book's just not that useful - thankfully, Ilia did nothing of the sort and made a wonderful reference for protecting you and your scripts...