The US Government is actually leading the way on software security.
http://cwe.mitre.org/top25/
Is a good place to start. They cover all languages, so not all will apply to PHP, but they link each weakness with sample code, attack patterns, and to actual vulnerabilities out there in the wild which displayed that particular weakness.
http://cwe.mitre.org/top25/
Is a good place to start. They cover all languages, so not all will apply to PHP, but they link each weakness with sample code, attack patterns, and to actual vulnerabilities out there in the wild which displayed that particular weakness.