There are many security issues depending on how your installation of PHP is setup. Most of these can and should be addressed by systems admins.
If your scripts are writing to the filesystem, there are more issues than if you are simply running a "hello world" script. The most important thing you as a scripter can do is to validate data. Any place you allow a user to add data into your scripts is a potential security hole.
Try to imagine what would happen to your script if a user submitted an empty value, or maybe if they typed in a SQL query string or a link to a porno image. For this reason, you must narrow down the possible things a user can type in. If a variable is supposed to contain an email address, use regular expressions to verify that it at least looks something like this ... me@mydomain.com as opposed to mysql_query(delete * from table);
Strip out stuff you know you don't want, like HTML tags and special characters. If you need to allow special characters or HTML tags to be input, replace the literal instances of the character with ascii values or hex values before using them in the script.
Don't rely on client side validation for any areas where users can type in data. Check all user input server side, as anything on the client side can be bypassed easily.
Another thing I see a lot of people doing that is insecure is using include pages that are not parsed by the webserver. For instance if you create a file called connection.inc that contains your database username and password, and this file is not parsed by the webserver, it will be returned as plain text for the world to see. A better strategy is to name the file connection.php (or any other file type the webserver parses). This way, if a user does happen to stumble on the file, the webserver will not return plain text to the browser.
Start by reading this chapter of the PHP manual ... http://www.php.net/manual/en/security.php
