On his blog today, Richard Miller has posted a quick review of Chris Shiflett's book "Essential PHP Security" after reading it.
I recently finished reading Essential PHP Security by Chris Shiflett (O'Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris's blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice.
Richard also includes a quick code example of this kind of filtering on POST data, HTML information, and MySQL output.