PHP Security is like manure, if you only do it in one spot – it stinks, but if you spread it around, it will grow wonderful things.
When I used to hear about different php packages being compromised (see netcraft.com regarding phpBB for instance) I would immediately brush it off as a fluke or the work of some nerd with WAY too much time on his/her hands who was instigating trouble. Sometimes that profile fits. Sometimes not. Sometimes the hacker doesn’t do any harm, they are just using the exploit as a jumping off point to do damage to other sites. Sometimes that have truly malice intent.
I also thought that the only things being hacked were extremely high profile open source products or Microsoft products. Bear with me, my naivety worstens. Then I thought it might only happen to eCommerce sites.
Someone hacked my personal website (a few years ago, and which is no longer running) just because I had cool movie quotes on it. Seriously, when you look at the server logs, it was simply an attack on a php page that I wrote in my early days of learning PHP and they completely overloaded the server. They exploited one little page to bring down an entire shared hosting environment. And all because of one little security bug I overlooked to make life easier while I was writing the code…in this case:
The moral of the story, if there is one, is don’t think your scripts are safe just because they are only used on one little page on a site that hasn’t peak 1000 hits a year. You are vulnerable. And you may luck out, and the bad guys may never find out…but what if they do…
Be secure in all your form processing, variable loading, sql using and watch your website grow.