I'm bewildered why you haven't mentioned magic quotes. A one line change to the configuration file can render your PHP site almost entirely immune to SQL injection attacks.
PHP's magic quotes is one of the most poorly-designed features I can think of. Instead of magically escaping only strings which will actually be passed to a database (like Python's DB-API does), it escapes every string that comes from the user, meaning that strings which will be sent back to the user have to be manually unescaped.
Even worse, since it can be turned on and off, code which is designed for a magic_quotes=on environment will become seriously vulnerable when moved to an environment with magic_quotes on. Security-related features should never be toggleable!
--
http://mail.python.org/mailman/listinfo/python-list
