I have written a lot of PHP over the past 6 years and time and time again I see little & big common mistakes.

1) Not sanitising user input before displaying it, executing it or putting it in the database.

2) Not using consistent naming convention s. (We have all done this before)

3) Not breaking big functions into smaller functions when possible. (Breaking up a big function can help with debugging and maintainability)

4) Not using classes and OOP.

5) Not using a database abstraction layer such as ABODB or even better yet PDO.

Not so much PHP related things

6) The belief anyone can write a secure site in PHP with little or a no experience. (This is an outright lie and is the same in any Programming language)

7) If I learn a PHP framework I have learned PHP. (You have learned how to use a tool or framework in this case, but you have not learnt all of what PHP has to offer. Or ruby if your doing rails)

This is more of a misconception with PHP.

8) PHP is insecure. (This can be said of any programming, damn Java. Its not the language that's insecure but the way you used the language and the code you wrote.)

That rant is done. Hopefully there is something useful in there for you guys and gals.