"If you do not design your application with security in mind, you are doomed to be constantly addressing new security vulnerabilities. Careful programming cannot make up for a poor design."
-- PHP Security Guide, Chapter 1, Section 1.1
This guide certainly gets to the point. The PDF is only 37 pages long, so it's a fairly short read. There's coverage on global variables, data filtering, error reporting, form processing, XSS, CSRF, SQL injection, session hijacking, and file-system concerns. Sample code is used several times as well.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
This looks like a pretty nice way of securing PHP-based app servers. The FAQ details some things that might just surprise you if you think your PHP installation is secure.