This list includes a lot of PHP and web application security items, but is missing some topics and is light on how to properly handle situations. A few of the topics missing important information include:

  - Pseudo-random number generator issues
  - Email injection
  - Cross-site session transfer
  - Password hashing

I recently did a talk on PHP security at the Boston PHP Meetup, and my slides are available at http://wbond.net/security/. http://flourishlib.com/docs/Security includes more information about many of the topics I covered with links to learn more.

Stream of consciousness post here. For your first bullet, people should be aware of mt_rand()'s superiority to rand(). For your fourth bullet, people should be aware of hmac. (Am suggesting that awareness of these should be a necessity, though not sufficient for some purposes.)

Edit: Just read your powerpoint - it's a wonderful overview, with brief code samples. People getting started with this broad topic should definitely give it a read. And now I'm sad I missed your live talk a few weeks ago.

For the first bullet, I usually just do the following:

  dd if=/dev/urandom ibs=1000 count=1 2>/dev/null | tr -dc '0-9' | fold -w[number of digits you need] 

For the fourth, I agree with wbond: use bcrypt when possible.

Also, slide 27 should probably say 'fingerprint' in the second section.

"Use a “safe” encoding for your page (such as ISO-8859-1) or otherwise verify that the content of inputted data to see if it valid (including if you use UTF-8). This is because certain invalid character sequences can cause the next character(like < (!)) to be ignored in some encodings."

Could anyone elaborate on this? What are the 'dangers' of UTF-8 exactly? The author suggests that certain UTF-8 characters can mess with the markup. How?