The most important concept to understand about security is that it's not a binary state: don't think of a Web site or script as being either secure or not secure. Improved security normally comes at a cost of convenience and performance. Increased security normally menas more code, more checks, and more required of the server.
Here are some recommendations.
- Don't use user-supplied names for uploaded files.
- Don't show detailed error messages.
- Reliably and consistently protect every page and directory that needs it.
- Watch how database references are used. For example, if a person's user ID is their primary key from the databse and this is stored in a cookie, a malicious user just needs to change that cookie value to access another user's account.
- Don't store credit card numbers, social security numbers, banking information, or sensitive data.
- Use cryptography.
- Use SSL,if appropriate. A secure connection is one of the best protections a server can offer a user.
- Try to break your site to see what happens. Ask other people to break your site.