The basic rule is to never trust user input, always sanitize it before you insert into your database.
Also if you are going to display user entered text, make sure and transform any html tags they enter into the relevant html entity. This will stop them from inserting content on your pages that you don't want.
I also noticed that if some servers are not configure properly or if they restart at just the right time, you PHP code could be sent as plain text embedded in the webpage. I'm not exactly sure what causes this but I've only seen it with smaller not so well developed sites. Avoid placing any passwords and other confidential data in scripts the visitor can access.
As far as making PHP faster, I recommend staying away from excessive nested branches:
Sometimes its quicker to code operations manually instead of using function calls:
$array = 1;
//is faster than
//if you only have one element to add to the array
Hope that helps