Note-avoid php-received this from bugtraq not too long ago:
Several vulnerabilitites were found in PHP:
- PHP ships a vulnerable version of the PCRE library which allows for
the circumvention of security restrictions or even for remote code
execution in case of an application which accepts user-supplied
regular expressions (CVE-2008-0674).
- Multiple crash issues in several PHP functions have been
discovered.
- Ryan Permeh reported that the init_request_info() function in
sapi/cgi/cgi_main.c does not properly consider operator precedence
when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
- An off-by-one error in the metaphone() function may lead to memory
corruption.
- Maksymilian Arciemowicz of SecurityReason Research reported an
integer overflow, which is triggerable using printf() and related
functions (CVE-2008-1384).
- Andrei Nigmatulin reported a stack-based buffer overflow in the
FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).
- Stefan Esser reported that PHP does not correctly handle multibyte
characters inside the escapeshellcmd() function, which is used to
sanitize user input before its usage in shell commands
(CVE-2008-2051).
- Stefan Esser reported that a short-coming in PHP's algorithm of
seeding the random number generator might allow for predictible
random numbers (CVE-2008-2107, CVE-2008-2108).
- The IMAP extension in PHP uses obsolete c-client API calls making
it vulnerable to buffer overflows as no bounds checking can be done
(CVE-2008-2829).
- Tavis Ormandy reported a heap-based buffer overflow in
pcre_compile.c in the PCRE version shipped by PHP when processing
user-supplied regular expressions (CVE-2008-2371).
- CzechSec reported that specially crafted font files can lead to an
overflow in the imageloadfont() function in ext/gd/gd.c, which is
part of the GD extension (CVE-2008-3658).
- Maksymilian Arciemowicz of SecurityReason Research reported that a
design error in PHP's stream wrappers allows to circumvent safe_mode
checks in several filesystem-related PHP functions (CVE-2008-2665,
CVE-2008-2666).
- Laurent Gaffie discovered a buffer overflow in the internal
memnstr() function, which is used by the PHP function explode()
(CVE-2008-3659).
- An error in the FastCGI SAPI when processing a request with
multiple dots preceding the extension (CVE-2008-3660).
if you're determined to use PHP, upgrade to the latest version, though as you can see its track record isn't the best.