Anyone writing web-based applications should refer to the above link and audit their code.
This is one of the best ways to improve the security of the application, and to learn how to write more secure applications in the future.
Never assume that your application can’t be attacked or compromised.
Although existing open source software on publicly accessible servers is easier for malicious users to attack and defeat, custom applications are not immune.
Reasons you should always strive to build secure applications:
- Improved security protects the data, the code, the server, the network the server is on, and your job. It limits the time wasted cleaning up after compromises.
- Quality. Security, done well, usually improves quality. It requires greater care to write the code.
- Future use of the code. Many applications start with a particular goal and grow. Soon they are distributed, and a wide audience can look at the code, either with an eye to collaborate - or attack.
Another excellent resource is http://phpsec.org, they have an audit you can run.
Don’t discount vulnerabilities with ‘that threat would not apply.’ Assume all threats will apply, because, in all likelihood, if they don’t at launch time, they will in the future.
Invest in SSL/HTTPS at the beginning and learn about Web Application Firewalls like mod_security (http://mod_security.org). It is okay to use a self-signed certificate, instruct affected users to trust it, with instructions on how to verify it (a screenshot is good).
Most importantly, take the time to read and learn. Even if you can’t address every issue as well as you would like, strive to address as many as possible. Loop back to improve the code if you have time.