As time goes on, I will be adding security focused resources. The resources listed below are all either geared towards PHP or useable by PHP developers in some manner.
A security pattern is a well-understood solution to a recurring information security problem. They are patterns in the sense originally defined by Christopher Alexander (the basis for much of the later work in design patterns and pattern languages of programs), applied to the domain of information security. A security pattern encapsulates security expertise in the form of worked solutions to these recurring problems, presenting issues and trade-offs in the usage of the pattern. This page presents our completed research into security patterns for Web application development.
The [phpsec] mailing list
[phpsec] is a mailing list dedicated to the security of PHP and its related applications. Our goal is to maintain an early-warning system through which developers, systems administrators and researches can discuss and exchange information about maintaining PHP, PHP applications and PHP systems secure.
PHP Security Consortium
Seems like a start, though I haven't seen much put into place here. However, it's news, and interesting.
Hardened-PHP adds security hardening features to PHP to protect your servers on the one hand against a number of well known problems in hastily written PHP scripts and on the other hand against potential unknown vulnerabilities within the engine itself.
Security Thread on DevShed
The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used open source and commercial PHP scripts in the past.
The most important concept to learn from this article is that you should never trust the user to input exactly what is expected. The way most PHP scripts are compromised is by entering unexpected data to exploit security holes inadvertantly left in the script.
Foiling Cross Site Scripting Attacks (XSS)
Here's an article from php|architect that discusses both XSS and CSRF from Chris Shiflett.
Chris Shiflett's Security Workbook
Excellent PDF covering security in PHP.
An excellent resource covering most aspects of XSS. Very comprehensive, and a great place to start.
f you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate these risks or how to write the actual cookie/credential stealing portion of the attack. It will simply show the basic attack vectors and you can infer the rest. I may add mitigation techniques or other forms of XSS like button/form overwriting later, since I haven't found many good resources on this topic thus far.