From Chris Shiflett's weblog:

Security is not a simple topic, but I think there is a great deal of value to be had in simplistic summaries of secure programming practices. Like an organization's mission statement, they provide a broad perspective that helps to keep you on track while you focus on the details. It is with this in mind that I have decided to promote my Top Two PHP Security Practices, expressed in eight words:

• Filter data on input
• Escape data on output

Two so very simple rules to follow, yet it's amazing how often they are forgotten. In fact, Chris is so sure that not following these two rules are the cause for a majority of the vulnerabilities posted on the php|architect security mailing list, he's putting his money where his mouth is:

I believe that a failure to properly abide by these two practices accounts for a vast majority of all PHP application vulnerabilities. In fact, I am offering a challenge. I believe that at least four of the next five vulnerabilities announced on php|architect's PHP security mailing list will be due to a failure to properly abide by one (or both) of these practices. If I am wrong, I will donate one hundred dollars to the Open Web Application Security Project.