You should use apache proxy as explained in http://docs.neo4j.org/chunked/stable/security-server.html#_security_in_depth
The information you need is the URL to post a cypher query:
http://localhost:7474/db/data/cypher
neo4php is only a wrapper and will end up posting to that url. You can find more details here : http://docs.neo4j.org/chunked/milestone/rest-api-cypher.html
So basically this means that you only allow queries with the cypher url to have access to the neo4j server.
Regarding read only cypher queries :
I didn't check with neo4jphp, but if you use the REST API directly, you can set the database to read_only by adding to conf/neo4j.properties :
read_only=true
You can check in the webadmin that the server is indeed in read_only mode
Just tested it, the server will accept only read queries :
And will return the following response
{
"message": "Expected to be in a transaction at this point",
"exception": "InternalException",
"fullname": "org.neo4j.cypher.InternalException",
"stacktrace":
[...],
"fullname" : "org.neo4j.graphdb.NotInTransactionException"
}