If you’re working on PHP 4.x, here’s a tool which checks if your codebase is succeptible to Cross site scripting or SQL injection.

Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

Pixy still doesn’t support PHP 5 !

Pixy: XSS and SQLI Scanner for PHP