There’s a book from O’Reilly called “Essential PHP Security” written by Chris Shiflett that covers many of the areas where it is possible to write unsecure code and shows you how to resolve those issues.
To return to the OP, probably the easiest way is to just do a google search on insecure php code - you will find loads and loads of results, and if you read a bunch until you understand each and every pitfall, chances are you are pretty well covered.
The other best practice is to build everything looking for problems, issues, errors at every single spot of the code. So start by taking nothing for granted, and build outwards towards the end goal of the script. That way you cover all possible issues.
Yes it takes a little more time, but once you have some experience and some re-usable functions, its easy.
Stephen, can you explain how prepared statements are so much better? (This isn’t a hit on you, everybody that I talked to act like they are the best.) When I ask how are they better? I get “trust me they just are” kind of replies… You bind your parameter to string, well isn’t ’ OR 1’ or '; DELETE FROM customers WHERE 1 or username = ’ a string? Therefore it will still get through, and the extra effort is nullified?
You can actually make your code far more secure if you don’t use that function. All you need to do is to avoid needing that is to do the database accesses properly using PREPARE statements (either mysqli_ or PDO) where the SQL and the data are kept completely separate so that it is impossible for one to be confused as the other.That way you don’t need to call that function to try to keep then from being confused because they never occur in the same statement in order for the confusion to even be possible.