This post outlines a minimum php security configuration for a production php server. Go through your php.ini file and make the following changes in a production environment:

register_globals

This should be set to off in production and development.

; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off

error_reporting

This should be set to off. You don’t want your visitors to see any error messages.

; Print out errors (as a part of the output).  For production web sites,
; you’re strongly encouraged to turn this feature off, and use error logging

; instead.

error_reporting = off

Functions That Should Be Disabled

You should disable the following functions so that they cannot be run:

system()

exec()

passthru()

shell_exec()

proc_open()

popen()

open_basedir

This should be set for both the root directory and the tmp directory.

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
;open_basedir =

expose_php

This should be set to off

; Decides whether PHP may expose the fact that it is installed on the server.
; It is not a threat in itself but does tell if php is installed.
expose_php = On

safe_mode

This should be set to off.

[SQL]
sql.safe_mode = Off

allow_url_include

This should be set to off. This is no good reason to allow this.

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
allow_url_include = Off

Let me know if you find this useful and also if I have missed anything important!