One thing I seen that's missing security wise is the strip_tags function. Always use this when receiving form input. If you are relaying information from a form to a database, always use mysql_real_escape_string with the strip_tags.