Well, most hacker's attacks we can divide to following types:

1. SQL-injection
2. CSS (Cross site scripting)
3. PHP - including
4. Local file including

It's main types of attack, then i can remember at end of work day.
Remember one simple rule "Always check coming data!". Also, register_globals, but it another history...

1. SQL - injection.

If we have businnes with numeric values:

$sql = "SELECT something FROM somewhere WHERE id = $GET['id']";

You need just check it to number:

if(!is_numeric($GET['id'])) die('Good job. Try again.');

If we have business with string values, you must check it for managing simbols and escape it, and don,t forget about magic_quotes (PHP by default escape get, post, cookies values).

if (!get_magic_quotes_gpc)
foreach ($_REQUEST as $val)
$val = mysql_real_escape_string($val);

It's escaped managing simbols and any string like ' UNION SELECT * FROM admin will be send to MySQL as string, not as command.

And for insurance we will be join blowfish to md5('myverysecretpassword');

When you insert new user to database good practice is:

$blowfish = 'MORE MORE MORE... simbols... any...';

$sql = "INSERT INTO table SET password=\"".md5($_GET['password'].$blowfish)."\"";

Now if even hacker take database dump without blowfish he never can decrypt password.

All this you can into single file, for examle 'security.php':

<?php
if(isset($_GET['id']) && !is_numeric($GET['id'])) die('Good job. Try again.');
if (!get_magic_quotes_gpc)
foreach ($_REQUEST as $val)
$val = mysql_real_escape_string($val);
$blowfish = 'MORE MORE MORE... simbols... any...';
?>

...and including this file from other scripts.

2. CSS (Cross site scripting)
It simple, just always when you using user data check it for html-tags:

$str = strip_tags($str);

And for more secure when you draw it to browser:

echo htmlspecialchars($val);

Unfortunatelly it all what i khow... Next...

3. PHP - including
When you include your files into script, strongly not recommended do it from another site.

include('http://somewhereininternet.com');

Do it only if you haven't another.

And never use user's data as is. I will shortly because, they told me write faster .

4. Local file including

If you read local file, for example 'file.txt' always create array of allowed values:

$files = array('file.txt',
'anotherfile.txt');

if(!in_array($GET['file'], $files)) die('Good attempt. Try again.');
else file($_GET['file']);

That's all, Sorry for my English.

i would add:

if you using vars from inputs for later sql queries

like u use: $sql = "INSERT INTO `table` VALUES (1, ". $_GET['input_var'] .")

you should use mysql_real_escape_string($_GET['input_var']) instead of alone $_GET['input_var']

this should make your inputs more safe for sql injections

thank you.