Security

By default, php is usually configured to be in a verbose error reporting mode. This is helpful for debugging, while the project is being coded. However, this is not desirable for a production environment. While you should spare no effort to make your code as secure as possible, the output from an error message in php could help a hacker find a way to exploit something on your site.

• see error_handling for more information

Source: Programming PHP, 2nd Edition, Chapter 12

• Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.
• Escape output to be sure that your data isn't misinterpreted by a remote system.
• Always initialize your variables. This is especially important when the register_globals directive is enabled.
• Disable register_globals, magic_quotes_gpc, and allow_url_fopen. See http://www.php.net for details on these directives.
• Whenever you construct a filename, check the components with basename() and realpath().
• Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.
• Always call session_regenerate_id() whenever a user's privilege level changes.
• Whenever you construct a filename from a user-supplied component, check the components with basename() and realpath().
• Don't create a file and then change its permissions. Instead, set umask() so that the file is created with the correct permissions.
• Don't use user-supplied data with eval(), preg_replace() with the /e option, or any of the system commands (exec(), system(), popen(), passthru(), and the backtick(``) operator).