From XSS News comes a link to an application called Pixy. It is a java app that takes PHP code and warns of potential cross site scripting and/or SQL injection vulnerabilities.
There is plenty of documentation, with good explanations of what Pixy can and cannot achieve. For example you cannoy throw it a directory of code, and have it find problems. If your PHP code has multiple entry points, then it needs to be run once for each of these.
A web version is available to do XSS test on single pieces of PHP code. There is a requirement to have Perl installed on your system for the download version.