1. Validate all user input, never use it verbatim in other text-based protocols (SQL, HTML, XML, JS). Try to think about any imaginable way to crash you software via specially crafted input and prevent it.

2. Verify user identity. Think about any imaginable way someone can intercept user's identification information and do something bad on his behalf. Prevent it.

This is basically it.

Check out Writing Secure Code by Michael Howard and David LeBlanc from Microsoft Press. It's got a lot of good information on secure coding in general as well as a chapter or two specific to web programming. It's a Microsoft book but most of the ideas translate to whatever language you are working in.

Link to Amazon.

You'll want to learn about SQL injection attacks, cross-site-scripting attacks, and you'll have to develop a healthy paranoia regarding how you manage input to your system. This includes learning how to sanitize user input, how to properly use sessions to save state across pages, and how and when to use SSL.

You will also want to be aware of the prevalence of FTP account hacking, the dangers of shared hosting environments, and general ways that web servers can be exploited.

There are a few books that cover PHP/MySQL security issues specifically that you might find useful.

I'd say to start off with looking into SQL Injection, Cross site scripting and Cross site request forgery. Those should give you an idea of the kind of things to watch out for and get you into the right mindset (never trust user input to be what you think it will be or what it "should" be)

Input (and output) validation are very important, as pointed out above, and so is identity management. But there is definitely more to writing a secure web application.

Start by getting familiar with the free tools and resources at OWASP http://www.owasp.org and subscribe to their news feed.

Get some kind of foundational training in web security: I recommend the online Advanced Software Security program at Stanford University http://scpd.stanford.edu/computerSecurity/, at least take the Foundations course it is worth it if you need someplace to start.

Check out the training programs and other resources at the SANS Institute http://www.sans.org, get on their vulnerability email list and other email lists. SANS offers a course in secure PHP programming http://www.sans.org/securitywest09/description.php?tid=2142.

The other submitted answers offer good advice, but to break it down into a system of rules:

1. Be paranoid

   1. Assume that your users are actively hostile.
   2. Assume that your code isn't secure.

   3. Verify (client-side and server-side) everything:

      1. ...that your users submit.
      2. ...that you store in your database.
      3. ...that you read from the database.
   4. Don't allow your users to see any error messages that you didn't create. If `verify_username() expects exactly two parameters` don't let your users ever see that error message. They shouldn't know the names of your functions, nor what they expect to work with, output or fail on.

2. Be smart

   1. Your code, and mine, sucks; keep on top of new work.
   2. Read around the subject, even the ones you find dull, and definitely the ones you have trouble understanding.
   3. Assume your users are smarter than you (those that are actively hostile are probably more experienced than you at breaking your locks).
   4. Have error checks for everything you can think of, and then ask a child of around four to press everything and fill in any forms/fields you might have. If something goes crazy (an alphanumeric instead of an integer, or anything else) add error conditions to stop it exposing your script's internals to the world.
   5. Move everything you possibly can outside of the web root to prevent any chance of a user accessing your scripts from another site or their machine.

That might be a little bleak, or cynical, but even with those rules I don't think we'll be 'safe.' Security's one of the oldest forms of a war of escalation; some we win and some we lose, but we'll only ever hear about the losses. And we're unlikely to ever hear about all of those.

Just do your best to keep those in mind, and then, if you think of any more-paranoid means to effect your site's security, don't hesitate to become more practically-paranoid. And tfeed back to the community; we all need help with this.