here's a good guide that i'm reading right now:
http://phpsec.org/projects/guide/
basically, validate all info coming and going from your site. be strict when filtering data. i use the following functions: trim(), strip_tags(), eregi(), str_replace(), and htmlspecialchars() to make sure that data entered is in exactly the format that i expect it to be.
also, make sure info being submitted by a form is actually coming from YOUR form. there's other stuff too, but that's a good start.
