PHP programmers of common security mistakes
The most important concept is that you should never trust the user to input exactly what is expected. The way most PHP scripts are compromised is by entering unexpected data to exploit security holes inadvertently left in the script.
1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first.
2. Be careful when using register_globals = ON.
3. Be careful with eval()
4. For protected areas, use sessions or validate the login every time
5. Never run unescaped queries
6. If you want the file contents to be hide, give the file a .php extension