A very secure option is to put the PHP parser binary somewhere outside of the web tree of files. In /usr/local/bin, for example. The only real downside to this option is that you will now have to put a line similar to:
#!/usr/local/bin/php
#!
shell-escape mechanism for launching
itself.
To get PHP to handle PATH_INFO and PATH_TRANSLATED information correctly with this setup, the cgi.discard_path ini directive has to be enabled.