Disable PHP's Bad Features

Register Globals (register_globals):
Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.
We cannot disable register_globals from the script side (using ini_set, like we normally might), but we can use an .htaccess files to do this. Some hosts also allow you to have a php.ini file on the server.

Disabling with .htaccess
php_flag register_globals 0

Disabling with php.ini
register_globals = Off
 

Magic Quotes (magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase):
magic_quotes_gpc: Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

magic_quotes_runtime: If magic_quotes_runtime  is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase  is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_sybase: If magic_quotes_sybase  is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc  or magic_quotes_runtime  are enabled. This setting is also respected by addslashes() and stripslashes().

we also cannot disable magic quotes from the script side using ini_set. As with register_globals, we can use .htaccess or php.ini files to do this.

Disabling with .htaccess
php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0
php_flag magic_quotes_sybase 0

Disabling with php.ini
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
 
Don't Put phpinfo() in your Webroot:
Phpinfo is a beautiful thing. By simply creating a PHP file that has
      <?php phpinfo(); ?>
and dropping it onto the sever somewhere, you can instantly learn everything about your server environment. However, a lot of beginners will place a file containing phpinfo() in the webroot of the server. This is a really insecure practice, and if prying eyes gain access, it could potentially spell doom for your server. Make sure phpinfo() is in a secure spot, and as an extra measure, delete it once you're done.

Never, Ever Trust Your Users:
If your application has places for user input, you should always assume that they're going to try to input naughty code. (We're not implying that your users are bad people. It's just a good mindset.) A great way to keep your site hacker-free is to always initialize your variables to safeguard your site from XSS attacks. PHP.net has an example of a properly secured form with initialized variables:
   <?php 
   if (correct_user($_POST['user'], $_POST['password']) { 
       $login = true; 
   } 
     
   if ($login) { 
       forward_to_secure_environment(); 
   } 
   ?> 

Store Passwords with Encryption:
Many PHP beginners often plunk sensitive data like passwords into the database without applying any encryption. Consider using MD5 to encrypt passwords before you put them into the database.
view plaincopy to clipboardprint?
    echo md5('myPassword'); // renders - deb1536f480475f7d593219aa1afd74c 

Validate Cookie Data:
Cookie data, like any data passed on the Web, can be harmful. You can validate cookie data with either the htmlspecialchars() or mysql_real_escape_string().

Reduce the Number of Database Queries:
Any way that you can cut back on the number of database queries, the better your PHP script will perform. There are tools like Stace (Unix) and Process Explorer (Windows) that allow you to find redundant processes and how you might combine them.

Don't Copy Extra Variables:
Some people like to try and make their code more appealing by copying predefined variables to smaller-named variables. This is redundant and could potentially double the memory of your script. Google Code has bad and good examples of variable usage:
Bad
   $description = strip_tags($_POST['description']); 
   echo $description; 

Good
   echo strip_tags($_POST['description']); 

Protect your Script From SQL Injection:
If you don't escape your characters used in SQL strings, your code is vulnerable to SQL injections. You can avoid this by either using the mysql_real_escape_string, or by using prepared statements.
 
Resource:
1. http://php.net/configuration.changes and
2. Internet