Here are some tutorials on general PHP security.

It is important to make sure you are always filtering input and escaping output in your PHP code. Here are some tutorials that will teach you more about this. If you fail to do this, your site may be vulnerable to cross-site scripting attacks.

Be aware of some potentially dangerous issues in PHP such as register_globals, allow_url_fopen, magic_quotes_gpc, and display_errors. Also take a look at the general programing code security resource page to learn about various attacks by hackers and how to prevent them.

General PHP Security

• PHP Security on phpfreaks.com
• PHP security audit talk - Chris Shiflett explains filtering input and escaping output in this video
• Security risk associated with error handling

Filtering Input

• ctype_alnum

Escaping Output

• htmlspecialchars
• htmlentities
• mysql_real_escape_string - prevents sql injection

register_globals

• Security Issues with Superglobals and register_globals

allow_url_fopen

• Security issue with allow_url_fopen
• cURL as alternative of allow_url_fopen

Magic Quotes

• What are Magic Quotes
• PHP Magic Quotes

display_errors

• recommendation for display_errors to be off