Again from the book

Programming PHP, 2nd Edition

By Rasmus Lerdorf, Peter MacIntyre, Kevin Tatroe

The security chapter recap:

• Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.
• Escape output to be sure that your data isn't misinterpreted by a remote system.
• Always initialize your variables. This is especially important when the register_globals directive is enabled.
• Disable register_globals, magic_quotes_gpc, and allow_url_fopen. See http://www.php.net for details on these directives.
• Whenever you construct a filename, check the components with basename( ) and realpath( ).
• Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.
• Always call session_regenerate_id( ) whenever a user's privilege level changes.
• Whenever you construct a filename from a user-supplied component, check the components with basename( ) and realpath( ).
• Don't create a file and then change its permissions. Instead, set umask( ) so that the file is created with the correct permissions.
• Don't use user-supplied data with eval( ), preg_replace( ) with the /e option, or any of the system commands (exec( ), system( ), popen( ), passthru( ), and the backtick ('') operator).