PHP application security is a total mess. For fun one night I jumped on Source Forge and looked for PHP apps with remote exploits. I found a remotely exploitable hole in the first application I downloaded. I was so disgusted I ended up writing a guide for newbies to avoid some common security mistakes.

https://linuxfreak.us/wordpress/writing-secure-code-in-php/