Always keep in mind what character set your data is in and use the proper methods to deal with it (e.g. always specify the correct charset when using [fphp]htmlentities[/fphp]) otherwise you might end up with security problems even though you’re “escaping.”
Seriously, though. You should be thinking “How do I make this secure?” before the first line of code is written, not when you’re getting ready to push to production. That’s why there are so many insecure programs on the market today (and PHP is notoriously bad for hosting many of them).
I agree in principal, but 5 times is not enough for a regular person. You can raise that to 10 or even 50, and still combat brute force.
I only chime in with this because I always forget which email address, user name or password I used for a particular site… sometimes I have to guess more than 5 times… and I HATE getting my account locked.
To the OP, if you even have to ask this question - do yourself a favor and get one of the good books mentioned above that cover the topic in detail. Seriously, you need an education that you won’t get from a few forum posts. Just trying to help.
The XSS Cheat Sheet is a checklist for XSS (cross site scripting) exploits.
Note that even if you have no XSS exploits, you also need to check for CSRF (cross domain request forgery), login-CSRF, and even clickjacking, and that is just on the client side. Server-side you will need to check for SQL and command injection flaws, and all manner of other validation and filtering related vulnerabilities.
Essential PHP Security is quite dated, so I wouldn’t use that as a definitive checklist. For one, I don’t think it even mentions the danger of serving uploaded files inline. There are probably other things that it is missing.
I don’t know of any definite checklist though. Maybe I’ll start one.