/etc/php5/apache2/php.ini values I set to "Off":
I don't bother with any of the safe_mode variables, for reasons cited here: http://ilia.ws/archives/18_PHPs_safe_mode_or_how_not_to_implement_security.html
I set "error_reporting = E_ALL". This gives notice of uninitialised variables, among other things.
I also add "disable_functions = dl, phpinfo, system, mail, shell_exec, exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, chown, disk_free_space, disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit,highlight_file, show_source", to block scripts' ability to invoke inherently dangerous PHP access to system commands. (If ever desirable, those should be enabled on an as-needed, explicit per-command basis. Please note that the foregoing list is from PHP5. Some functions cited may not even be supported in some prior PHP versions.)
Why register_globals was always a bad idea and was disabled by default (and heavily discouraged) starting with PHP 4.2.0: http://en.wikibooks.org/wiki/Programming:PHP:Register_Globals
Recognition of, and explantion of, the problem as of the PHP 4.1.0 release: http://www.php.net/release_4_1_0.php
Values in /etc/php5/apache2/php.ini that I change from their "Off" defaults to "On":
I also uncomment "error_log=syslog" (since debugging information should go there and not to the public Web).
My distro furnishes a couple of prototype php.ini files:
The former was evidently furnished by Javier Fernández-Sanguino Peña (email@example.com). I'll soon be diff'ing it against my own. There might be an article in it. ;->
Security Consortium site)
http://www.php.net/features.safe-mode (Safe mode features of PHP)
http://shiflett.org/archive/81 (Chris Shiflett's talks on PHP security)
http://www.phpsecure.info/ (PHP security site)
David Wheeler has some worthwhile observations about PHP security
in the Secure Programming for Linux and Unix HOWTO:
The Debian Administration Web site has: "Tightening PHP Security", at http://www.debian-administration.org/articles/138.
 Googling on that filename, one finds http://olympus.het.brown.edu/cgi-bin/dwww?type=file&location=/usr/share/doc/libapache2-mod-php4/examples/php.ini-paranoid, which is probably the same file.