provided by: 
Originally published at Internet.comPHP has achieved a stable and solid presence on the Web in the last several years, and its popularity as a server-side scripting language is only increasing. Its primary use is for providing dynamically generated interfaces between Web users and the host. As such, PHP scripts fall a natural prey to many Internet attacks. Despite the fact that the language is designed with security in mind, a familiarity with its more dangerous aspects and conformance to common secure programming guidelines is essential to minimizing the possibility of security compromises. The aim of this document is to provide an overview of various security issues with PHP and to offer advice on secure PHP programming practices.
Introduction
PHP (PHP Hypertext Preprocessor) is a server-side scripting language that facilitates the creation of dynamic Web pages by embedding PHP-coded logic in HTML documents. It combines many of the finest features of Perl, C, and Java, and adds its own elements to the concoction to give Web programmers great flexibility and power in designing and implementing dynamic, content-oriented Web pages. As with any powerful tool however, there are certain risks and dangers associated with the use of PHP. This article aims to alert the reader of such subtle details of the language. By being aware of the risks and observing some simple secure programming rules, it is possible to significantly lower the risk of security compromises. Regardless of its mode of execution, the PHP interpreter has the potential to access virtually every part of the host - the file system, network interfaces, IPC, etc...
Read article at Internet.com site