Great thread topic markl999.
Twig and yourself have about the same ideas I implement, but here are a few more that are pretty basic, but overlooked.
You should try to use different variables in your SQL return statements though. One of the downfalls of such queries, is that most people use something like:
Things along those lines are pretty easy targets for variable sniffers, and those with some common sense. Take a look around these very forums, and count how many people use $sql, $query, etc....Its pretty astronomical.
I tend to use off the wall variable names thanks to a friend of mine who used the dictionary, and than replaced letters withen a common word making it real hard for things as 'Jack the Ripper'. If they are in your head, or on paper, only you are going to know, or at least are going to make life a pain for those trying to hack you.
Things like:
Error reporting should be turned off at the point of opening public, and on for all development circumstances.
Commenting code for every action doesnt help either. It doesnt take a person with a great deal of knowledge to figure out plain text instructions.
Always vaildate everything using numbers and not text, and go with auto increment. It works, and as long as a map is not drawn to and from your SQL, everything will be cool.
Non Referer address at the top of each script. If it does not equal the link value, than kick em off the page. They got there without clicking on the link, and there are hidden variables you can use to make sure it isnt a hit or miss script. I cant remember the function off hand, but its a slick little function with plenty of power.
No cache, and pragma timeouts. A while back, I had a few scripts thanks to a site that allowed the scripts to cache on my hardrive.
There are more, but the theory "Keep it simple stupid" should be the motto to keep in mind.