Jem is a self-proclaimed l33t PHP ninja, and she knows what she's talking about. :P
Keep an eye on her website, she's very helpful on the subject and has many posts concerning it.
My list:
1. Only use error_reporting(E_ALL) while developing, in the release use error_reporting(0)
2. Don't be afraid to ask questions and get help
3. Report ANY errors/warnings
4. Never trust $_SERVER as it can be modified
5. Never trust anybody
6. The PHP manual can be very useful; don't be afraid, it's your friend.
7. Have people test your projects
8. XSS/CSRF etc attacks
9. Sanitize any user input (Forms, Get, Post, etc..)
10. Be especially careful if you use HTML selects, checkboxes, or radio buttons in forms, they can be changed by the user
11. Time and patients can make the biggest difference
12. You should probably make sure you're comfortable with any language you write a script/program in.
13. Lean by example -- look at other people's script.
14. Try to "break" the script on test runs
15. Password encryption
16. Never store sensitive stuff in .inc.php files
17. Place all config files, .ht* files out of your root directory
18. Ask questions: What could I have done differently? Why does X do this? Why does Y do that.
Sorry if the wording of these tips is a bit odd. :P
To add to this, don't forget that % and _ are both special characters in SQL. It is, however, much safer (harder to make mistakes) to limit input to the characters you want (e.g. [a-zA-Z0-9]) than to hope that you have a complete list of all SQL special characters.
IPTables can limit the number of connections an IP address can make in a given time limit and will simply drop packets until the IP address is below the limit again. You can also limit IP addresses by bandwidth in a given time limit. I'm sure other firewalls will have similar capabilities. Filtering such as this should be done as early as possible in the path through your system as that is where it has already had the least impact on the other users of your system.
I don't have a problem with calling your super user "root" but there is no harm in changing it. You should, however, definitely not allow this user to log in over the network. If the root user can log in over the network then an attacker brute forcing his way in already knows one username (and it's the most powerful user to boot)
Strangely enough, this post is almost not about PHP at all, but security involves the entire system so we shouldn't just focus on PHP anyway.
i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this:
?id=1' or ?id=1"
so, i remove any quote in all variable. i use str_replace().
i see why hacker do to attack sqlinjection vulnerability. like this:
?id=1+order+by+1--
?id=1+union+select+1,2,3--
so, i remove the +,-,%20,*.
i feel this is just little trick, but this so helpfull to prevent sql injection attact :-)
__________________
I am sorry my english is very bad. But I am very interest to discusse here :-)
I understand what you mean and a very good idea. Apart from the usual stuff like using a firewall, no telnet or FTP it would be good to compile a LAMP based check list to secure these things in a production environment.
Before you post, read our: 
