- Escape user provided content to avoid XSS attacks.
- Using paremeterised SQL or stored procedures to avoid SQL Injections attacks.
- Running the webserver as an unprivileged account to minimise attacks on the OS.
- Setting the webserver directories to an unprivileged account, again, to minimise attacks on the OS.
- Setting up unprivileged accounts on the SQL server and using them for the application to minimise attacks on the DB.
For more in depth information, there is always the OWASP Guide to Building Secure Web Applications and Web Services
