Script

1. Register_global off
2. Never trust user data
3. AddType application/x-httpd-php .htm (httpd.conf) changes .php to .htm 
4. Put key files outside your document root (dbconnect.inc.php)
5. Name inc-files x.inc.php instead of x.inc 
6. Hide serverinfo: "ServerSignature Off" and "ServerTokens Prod" (httpd.conf)
7. Hide php "expose_php Off" (php5.ini)
8. Hide errors "display_errors Off" "log_errors On" (php5.ini)
9. Restrict general database access (root and iuser @localhost in mysql)
10. Use include_once()
11. Pre-initialise important variables to safe values
12. Be wary of session fixation (can be hijacked):
  <A HREF="http://www.yoursite.com?PHPSESSID=abc123">Click here!</A>
  Change session IDs on privilege elevation:
  a) Validate (ie against a database) and if user is OK then
  b) session_regenerate_id()
13. Use Safe mode (php5.ini)
  a) safe_mode_include_dir: In safe mode the UID of the owner of the script normally must match the UID of the owner of the file being read. But not in this dir
  b) safe_mode_exec_dir: The only dir where exec() works
  c) safe_mode_allowed_env_vars: list of environment variables that the user can change
  d) open_basedir: Limit the location from where files can be read (tricky prefix syntax,  /home/paul matches both /home/paul_hax and /home/paul_hex, write /home/paul/ instead). Works regardless of whether safe mode is enabled
  e) disable_functions: Stops list of functions, for example: readfile, exec, fopen
  f) disable_classes: list of classes to block

PHP supports one error control operator: the at sign (@). When prepended to an expression in PHP,
any error messages that might be generated by that expression will be ignored.

if(!isset($_GET['size'])) $_GET['size'] = 44;
if(!isset($_POST['text'])) $_POST['text'] = 'Hello';