In this post on the Sitepoint PHP Blog, Harry Fuecks makes a quick mention of another blog post dealing with the enhancements in PHP6 and another handy feature he noticed as well.
Pierre-Alain Joye picked this one up last week, and it needs repeating. For PHP6 the following are already gone from CVS: Register globals, Magic quotes, Safe mode.
As blogged a while back, you'll find these changes discussed here. Nice use of carrot and stick in fact - for the pain on fixing your apps to run under PHP6, you get Unicode.
The other feature he's noticed pertains to the php.ini settings file that PHP uses:
Just noticed a new ini setting here: "allow_url_include - PHP_INI_SYSTEM Available since PHP 6.0.0." Excellent! That eliminates another major source of exploits (perhaps the biggest) have moaned about that before here and here.