Filter Input & Escape Output, always. Use prepared statements, filter your query params. Disable magic_quotes, register_globals, allow_url_fopen. Give minimum permissions to daemons, processes, people. Regenerate your session id’s and use tokens. Use common sense.
SQL Injection , XSS , CRSF , Security misconfiguration and CSSLP