At Halloween 2005 I had disclosed a number of bugs in phpBB, including a remote code execution exploit through the signature_bbcode_uid variable. You will not find this vulnerability in the phpBB security tracker because it is phpBB project's practise to blame their bugs on PHP and/or otherwise downplay them or hide them. Unfortunately there is now a public exploit for this vulnerability, which was released yesterday while most of us were celebrating christmas.
This example seems to explain how a script should configure it's logging in a secure way. I cannot say what the book says about this example, because I don't feel like wasting my money on it. Maybe the guys who say they have reviewed it can comment on it.
However when you look at the example above and have a clue about file permissions you should start to laugh, because it should not work. Then you try it and wonder that it actually works. The thing is, that the author obviously wants to log errors into the apache error log. Therefore he tells PHP to log into the error_log file. Of course PHP will fail to open the file, because the logfile in question is only writeable by the root user on a sane configured webserver. However the example works, because PHP will fall back to using the SAPI error handler for logging purposes. And this of course uses the Apache logging subsystem to log to the file in question. So the example is simply wrong, and only works because of a fallback situation.
This example however uses a different way to log to the error_log of Apache, which does not have any fallback handler. This actually means, that this code can only work if it is executed as the root user or if the apache error_log file is writeable by the apache user, which should never be allowed. I wonder how Apache and PHP is configured on the servers of the author and the persons who have reviewed the book.
PS: And I really wonder how fast after the author reads this we are again kicked out of their library...