A new article from DevShed seeks to help all of those out there worried that some malicious user could manipulate their site to their advantage - so, they offer some PHP Security Mistakes to learn from.

The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used open source and commercial PHP scripts in the past.

Most of the tips are very easy to follow, but can be difficult to remember when it gets down to the wire:

• Never include, require, or otherwise open a file with a filename based on user input (without checking it first)
• Be careful with eval() (after all eval is only one letter away from evil)
• Be careful when using register_globals = ON
• Never run unescaped queries
• For protected areas, use sessions or validate the login every time.
• If you don't want the file contents to be seen, give the file a .php extension.