Do not trust user input.

Validation of expected data types and formatting is essential to avaoiding SQL injection and Cross-Site Scripting (XSS) attacks.

1. Escape user provided content to avoid XSS attacks.
2. Using paremeterised SQL or stored procedures to avoid SQL Injections attacks.
3. Running the webserver as an unprivileged account to minimise attacks on the OS.
4. Setting the webserver directories to an unprivileged account, again, to minimise attacks on the OS.
5. Setting up unprivileged accounts on the SQL server and using them for the application to minimise attacks on the DB.

For more in depth information, there is always the OWASP Guide to Building Secure Web Applications and Web Services

Some of my favourites:

1. Filter Input, Escape Output to help guard against XSS or SQL injection attacks
2. Use prepared statements for database queries (SQL injection attacks)
3. Disable unused user accounts on your server to prevent brute force password attacks
4. Remove Apache version info from HTTP header (ServerSignature=Off, ServerTokens=ProductOnly)
5. Run your web server in a chroot jail to limit damage if compromised

OWASP is your friend. Their Top Ten List of web application security vulnerabilities includes a description of each problem and how to defend against it. The site is a good resource for learning more about web application security and is a wealth of tools and and testing techniques as well.

Set the secure flag on cookies for SSL applications. Otherwise there is always a highjacking attack that is much easier to conduct than breaking the crypto. This is the essence of CVE-2002-1152.