Simple, always use the DB’s quoting options. If you’re using mysql, always use mysql_real_quotes() around ALL string types. Always use intval(), floatval(), doubleval(), etc around ALL numerical type data (most common you’ll use is intval() unless it has a decimal then it’s floatval()).
NEVER use direct user input within SQL queries. Everything has to be cleaned up some how. Using the above methods will work best. Never assume the user entered what you expected.
When writing a form mail script; NEVER EVER accept the “to” field from within user input. Always hard code your “To:” value or grab it from the DB or something. Never rely on a hidden input field or query string, this just opens up your script for spammers to use their own TO address to send loads of main through your script.
And that’s all I can think of right off hand. Those are the two top issues with scripts. If you’re using PHP5, I’d also suggest turning on E_STRICT by adding error_reporting(E_STRICT) to the top of your scripts. Code it right the first time so you don’t develop any bad habits. Don’t rely on HTTP_*_VAR (long_array_vars) as they’ll go poof in PHP6. Don’t EVER use register_globals, addslashes() or magic_quotes and they are security holes in your script.
Okay, think I’m done now.
I’m sure if Simon sees this post, he might have more to add. He definatly knows his stuff, too.