jatar_k - 4:15 am on May 28, 2008 (gmt 0)

you need to verify all input, everything you receive from a source other than yourself

you should test all of this data and make sure it is the type that it is supposed to be

if something is wrong with data, don't fix it, send it back to the user to correct or refuse it, depending on where it happens

make sure your scripts don't spit out verbose error messages that an intruder can then use to reverse engineer queries

there's so much more but that should cover a few basics

this thread is fairly good and the basic principles can apply to any language thought this focuses on php
PHP Security [webmasterworld.com]