Check every value supplied to your program to ensure that the data you're getting is the data you expected to get.

Always initialize your variables.

Set variables_order. Use $_REQUEST and friends.

Whenever you construct a filename from a user-supplied component, check the components with basename( ) and realpath( ).

Don't create a file and then change its permissions. Instead, set umask( ) so that the file is created with the correct permissions.

Don't use user-supplied data with eval( ), preg_replace( ) with the /e option, or any of the system commands (exec( ), system( ), popen( ), passthru( ), and the backtick (``) operator).