provided by: 
Originally published at Internet.comReview Part 1.
Secure Programming Guidelines
The way to secure PHP scripts is through a carefully selected combination of configuration settings and safe programming practices. Based on the vulnerabilities that we have studied so far, we will now set forth to establish some rules that can help avoid dangerous situations.
Using PHP Safe Mode
PHP can be set up so that it executes scripts in a restricted environment to decrease the amount of damage that can be inflicted by insecure programs. This modus operandi is called "safe mode". The configuration directive safe_mode in php.ini turns safe mode on and off. The safe_mode_exec_dir directive specifies a directory from which scripts can be loaded. PHP will not execute a script if it is not in this directory. Furthermore, PHP will not let a script call another program that is not in this directory. This way, even if there is a security hole in the script that allows attackers to run arbitrary commands on the script, they will be limited to whatever is in the safe mode executable directory. As a general rule, if it is not absolutely necessary for scripts to be able to alter a variable, protect it.
To prevent tampering with environment variables, PHP safe mode makes use of another php.ini configuration setting that restricts the user's ability to modify them. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. Thus, any environment variable whose name begins with something not listed in safe_mode_allowed_env_vars cannot be altered from within a PHP script. The default list consists of the prefix "PHP_" only. As we have seen, some of the PHP_ variables also contain sensitive information, so this restriction does not always solve the problem completely...
Read article at Internet.com site