Security in a web application boils down to always checking any user-supplied input data. %readfile($filename)% %system($cmd)% file uploads into document_root XSS - Cross Site Scripting hacks For a complete example, see %README.input_filter% in the PHP 5 source distribution and pecl/filter. For PHP4, you will have to patch your source with http://lerdorf.com/php/input_filter.txt