- Never put phpinfo() in the root directory
- Assignments in arrays may be aligned. When splitting array definitions onto several lines, the last value may also have a trailing comma.
- Never change extensions of the file on the server. So whenever you need to take a backup, make sure its extension remains .php like you can rename to index23-10-2014.php
- Use Salt encoding instead of simple md5.
- Never use too simple passwords like admin/admin123/password/123456
- Don’t place a zip file of your code on the root directory.
- Use Mysqli or PDO in general practice to prevent SQL injections.
- Use hidden codes in forms to prevent it from spamming or spoofing.
- Never left any extra files on FTP.
- Always add a random string in the uploaded image name.
- Don’t store any passwords or credentials on a server in the form of a text file.
- Always put mime type check on image uploads.
- Sanitize HTML input and output to prevent from XSS attack. Use htmlEntities() function for all get post data.
- Checking if a value is null or false. Use the === operator to check for null and boolean false values.
- Consider Memcache for caching in your projects
- Use phpmailer or any other mailing system instead of mail function.
- Do destructive testing to break the code as a part of the unit test.