Stopping PHP ability to read/write other PHP files

You'll have to protect your website and Linux/Unix does this very well, set minimal permissions for group and others on your website's root directory:

chmod 0711 /var/virtualhosts/example.com

# ls -ald /var/virtualhosts/example.com
drwx--x--x  4 example    example    4096 Oct  9 08:43 example.com

Restrict access to files in PHP with open_basedir:

# virtual host config
php_admin_value open_basedir "/var/virtualhosts/example.com:/tmp"

# directory config
<Directory /home/bad_user>
    php_admin_value open_basedir "/home/bad_user:/tmp"
</Directory>

Disable dangerous functions from PHP:

# /etc/php.ini
disable_functions = "dl,shell_exec,passthru,exec,
                    popen,system,proc_terminate,proc_close,stream_socket_server"

Use su - user to test permissions they have on your website.

su - apache -s /bin/bash 
cd /var/virtualhosts/example.com
ls -al
cat /var/virtualhosts/example.com/db.config.php

You want to disable php for the home folder.

When using PHP as an Apache module (default on Ubuntu 10.04), add the following to your Apache configuration

<Directory /home>
  php_admin_value engine Off
</Directory>

You should probably also use Options -ExecCGI and AllowOverride None there for safety. See the official Apache security tips. If your webserver have other kinds of scripts enabled (like mod_perl), be sure to disable them for the home folder too.

suPHP is really your best bet here. You would setup each user to run their scripts as their own user, then chmod their directories so that other users cannot read them. Do not rely on open_basedir, it's not going to work 100%.

Since you are allowing uploads, you are always going to have to worry about people uploading things they shouldn't. I'd suggest running something like Linux Malware Detect. It alerts you when things like shells and DoS scripts get uploaded to your servers.