Use current versions Don't rely only on %safe_mode% Much better is usually %open_basedir% Set also %session.save_path% and %upload_tmp_dir% Prohibit errors printing - %display_errors% Beware of files uploaded by users - %engine% Set minimum privileges for a database user Files created by Apache have access to other identically created files even with %safe_mode%. Errors can reveal some sensitive information like paths, included files, variable names and so on. Consider input %?id[]=% (*Notice: Array to string conversion*). Usually %SELECT%, %INSERT%, %UPDATE%, %DELETE% and %LOCK TABLES% (on some tables) should be enough. http://php.vrana.cz/bezpecnost-weboveho-serveru.php http://php.vrana.cz/ukladani-souboru-od-uzivatele.php