As for general security in a language agnostic way:
- Use sessions/cookies to store a key in the browser (sessions does this automagically in PHP), and store data on the server side. If it's a shared server and contains potentially sensitive data, do not save it in the default temporary directory. Check the referrer, user agent and possibly the IP (though I hear this is an issue for proxied ISPs like AOL?) against the session data as an extra check against copied cookies. Never use transparent session ID features like PHP's transid.
- Always sanitise your database inputs. Always. Every time. Without fail. Unless you can be absolutely certain you're putting an integer into the database field, run it through the database's sanitisation/escape function, or use prepared statements.
- Make sure your administrator password contains at least 1 symbol, number and is a minimum of 8 letters long.