Always use POST and not GET for important Data...

Avoid using register_globals.

Warning: This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

• Cross Site Scripting (XSS) Wiki, Google
• Cross Site Request Forgery (XSRF/CSRF) Wiki, Google (thanks Rook)
  • Session Fixation Wiki, Google
• SQL Injection (SQLi) Wiki, Google
• Turn off error messages in Production environments
• Keep any "include" code in a directory that is not web-accessible (either deny access or keep it outside of the webroot)
• Here's an article I wrote about storing passwords in a secure way, and if you don't feel like taking my word for it, check the links at the bottom.
• Also linked in my article, but given its own separate link here, is a paper published by M.I.T. called The DOs and DON'Ts of Client Authentication on the Web ^[PDF]. While some of its info (recommendation to use MD5 hash, for one) is somewhat out of date simply because of what-we-know-now versus what-we-knew-then, the overall principles are very strong and should be considered.
• One of Rooks' links reminded me of another important set of restrictions
  • Turn off Register Globals (This is the default now, so I hadn't mentioned it before)
  • When dealing with file uploads, be sure to use is_uploaded_file() to validate that a file was uploaded and move_uploaded_file() instead of copy() or rename().
    • Read this section of the PHP Manual if you need to know why (and you do).
• Since I've now mentioned him twice, check out Rooks's Answer (https://stackoverflow.com/questions/2275771/what-are-the-most-important-safety-precautions-that-a-php-developer-needs-to-know#2275788) as it includes a link to a document which contains (Non-PHP-Specific) information on the most important security concerns (and this therefore probably the right answer).

OWASP provides a lot of insight into security issues that are the biggest problems in applications today. It is nice to see that they have a PHP dedicated page available

http://www.owasp.org/index.php/PHP_Top_5

don't use "Register Global Variables" and filter user input for xss and injections

Have a look at the Suhosin Hardening Patch, and check out the security vulnerabilities that it addresses.