Today, Rasmus Lerdorf, the man who kick started PHP, gave a great talk about PHP Performance and Security.
He began by talking about the new MySQL native driver. He did some benchmarks in which it appeared that the driver offered little performance improvements.
Next he covers attacks by passing extra stuff in the URL. Even escaping URL parameters with htmlspecialchars() doesn’t protect you from characters that are already escape that are evaluated in the browser to do harmful things.
Cross-site request forgery is another huge problem. By adding a hidden input field with some sorts of a session token, or “crumb” as he calls it, in combination with your session cookie, can be used to verify the request is valid.
Rasmus has made his presentation available online at http://talks.php.net/show/mysql07.