# set register globals off
php_value register_globals 0
# set allow_url_fopen off
php_value allow_url_fopen 0
# set magic_quotes_gpc off
php_value magic_quotes_gpc 0
# set magic_quotes_runtime off
php_value magic_quotes_runtime 0
are the basic things to turn off
as far as the security of the php files goes, they are pretty safe. for more info search "secure config" and look at the first post called "question about security of php files."
I'm not sure that there is a safer way to have a dynamic website, and honestly I wouldn't worry about it, so long as you are careful with variables set by users you'll be fine. There are lots of dynamic websites that are very secure, if you have questions about specific code post it somewhere and ask— folks are usually pretty happy to help patch up the holes. scrypte mentioned validating your $POST & $GET's that is a very good idea, always.
a good basic one is:
function validate($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!is_numeric($value)) $value = mysql_real_escape_string(strip_tags($value));
return $value;
}
and you'd use it like so:
$id=validate($_GET['id']);