PHP is a server-side scripting language that is among the most popular choices for web applications. Web administrators love it, and some of the world’s top websites rely on it. Because it uses server-side scripting, however, there are inherent risks involved with using it. By knowing those risks and how to deal with them, you can keep your server secure from would-be attackers.
SQL Injection – Many websites use some form of database in conjunction with PHP, and SQL relational databases are a popular choice. With SQL injection, the attacker injects harmful code into a PHP query and is able to gain access to the server or some sensitive data therein.
Cross Site Scripting (XSS) – XSS uses malicious links or other sneaky techniques in order to insert false posts into scripts on your site. What may seem like an annoying popup originating from your site turns out to be a link from the attacker aimed at luring the user into a trap.
Register Globals – This is actually a PHP setting called Register_Globals that makes it easier for developers to access variables. It should be off by default, but if it is on, it can pose a security risk.
For more information about PHP security, see this documentation.