1- Redirect whenever / wherever you want:
You cannot do this:
<!doctype ..........>
<html>
<head>
</head>
<body>
< put here some header banner >
<?php
echo "something";
//check some POST variable and if it is not set goto some page:
header("Location: http://www.mysite.com/error.php");
This will give a Warning:"Cannot modify header information - headers already sent"
because you must put header() before any output in your code.

A simple workaround for this (for PHP 4+) is:
<?php
ob_start();
?>
<!doctype ..........>
<html>
<head>
</head>
<body>
< put here some header banner >
<?php
echo "something"
header("Location: http://www.mysite.com/error.php");
?>
</html>
</body>
<?php
ob_end_flush();
Using output_buffering will hold any output until you release them (flush). So you will be safe to use header() in anywhere in your code :agree:

2- Keep your database passwords safe
For this, you have to make some changes in your apache config file: httpd.conf, if you cannot access it, have your host do this for you.
BUT BE WARNED: make backups of everything, just in case you screw up ;)
First, create a file with your usernames and passwords for databases, registrar APIs, control panel APIs, 3PP APIs etc. in it:
say, "secure.inc" file looks like this:
SetEnv DBASE_USER "username"
SetEnv DBASE_PW "password"
SetEnv ENOM_UID "enomuser"
SetEnv ENOM_PW "enompw"And include this file into httpd.conf, *INSIDE YOUR OWN VIRTUAL HOST BLOCK* or all users in the server can see it.
Include "/path/secure.inc"
Now restart you apache, and when you want to use those usernames and passwords you can call them as:
conn_db = mysq_connect("localhost", $_SERVER["DBASE_USER"], $_SERVER["DBASE_PW"]);
So if even someone have your php code in someway, your passwords will not be exposed. But keep in mind, outputting phpinfo() publicly will reveal your passwords.

3- heredoc usage
Consider this HTML code: (I know it has errors, I randomly deleted some parts. This is just an example)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>

<TITLE>Untitled Document</TITLE>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
</HEAD>
<BODY CLASS="sub">
<BR>
<TABLE WIDTH="90%" BORDER="0" CELLSPACING="2" CELLPADDING="4" STYLE="text-align: center">
H="90%" NOSHADE SIZE="1">
<BR>

<TABLE WIDTH="90%" BORDER="0" CELLSPACING="0" CELLPADDING="4" STYLE="text-align: center">
<TR>
<TD WIDTH="15%" STYLE="white-space: nowrap">

<TABLE WIDTH="100%" BORDER="0" CELLSPACING="0" CELLPADDING="2" CLASS="FooterColor">
<TR>
<TD> 2001 Lorem Ipsum Dolor <A HREF="#">Sic Amet</A> • <A HREF="#">Consectetur</A> </TD>
<TD STYLE="text-align: right"> <A HREF="#">Lorum</A> • <A HREF="#">Ipsum</A> • <A HREF="#">Dolor</A> • <A HREF="#">Sic Amet</A> • <A HREF="#">Consectetur</A> </TD>
</TR>
</TABLE>
</BODY>
</HTML>
Think that you want to put this code into a variable like $html_code.
You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
Not exactly. We have heredoc
check out this code:
$html_code = <<< CONTENT
PUT ANYTHING HERE
I mean <anything>
<img src="img.gif">
<FORM ACTION = 'mypage.php'>
<DIV>
</DIV>

CONTENT;
heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:$html_code = <<< CONTENT
PUT ANYTHING HERE
I mean <anything>
http://www.{$domain}.{$tld}
<img src="{$img_name}.gif">
<FORM ACTION = 'mypage.php'>
<DIV>
{$staff->name["barney"]}
</DIV>

CONTENT;
Thats it for now, I hope you find these useful. I may come up with something more in near future.
Comments and corrections are welcome :D

The above post is correct

On a semi-related note: Its also a good idea to use lower case html tags and attribute names, especially if you want to translate your pages into xhtml sometime in the future.

You could store your database info into your .conf file but sometimes this isnt an option. putting the configureing php file one level below (or above after all clients cannot see anything contained within php tags) the webroot will also work.


<?php
if(!defined("_DB_HOST"))
{
define("_DB_HOST", "localhost");
define("_DB_USER", "user");
define("_DB_PASS", "admin");
}
?>

and later you can access it as

$dbc = mysql_connect(_DB_HOST, _DB_USER, _DB_PASS);


the above solution will work as long as you do not let clients download it or read the source of the file. Obviously you will have to manually include the file in any document you need the settings. Whereas Berak's solution will give you universal access to those variables without having to manually include a configuration file.

Its not a good idea to load your database settings into apache, as then the variables can be accessed anywhere within the server.

Why not just use variables? Or add the contents in to an array? You could encrypt these and then decrypt them when you need them!?

I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).

They are alot of techniques out there to improve your site's security though they will each come with a performance hit. Pick a reliable webhoster as someone could still access your database and password files by attacking a less-secure site hosted somewhere else on the system (assuming you are on a shared hosting account).

I recommend doing a Google search and reading up on what other developers suggest you do.

I store all my db passwords in a file with a .php extension. This way if a user does figure out the path to it my passwords won't be revealed (any other file extension will result in the file contents being displayed).
.
NOt always is this the case. The following will prevent this.

<FilesMatch "\.inc$">
Deny from all
</FilesMatch>

You can put this in your .htaccess file, or better yet, in your apache configs
in httpd.conf, look for

#<Directory /home/*/public_html>

and add just above:

<Directory /home/*/public_html>
<FilesMatch "\.inc$">
Deny from all
</FilesMatch>
</Directory>

This way, you're protected against this stuff using .inc files.

There's a couple of other ways to do this, though I forget them at the time. If I remember them, I'll put the info in here as well.

[/html]Think that you want to put this code into a variable like $html_code.
You will have to take care of the all quotes and other characters you have to escape. And inserting some dynamic content inside it will be a nightmare.
Not exactly. We have heredoc
check out this code:
$html_code = <<< CONTENT
PUT ANYTHING HERE
I mean <anything>
<img src="img.gif">
<FORM ACTION = 'mypage.php'>
<DIV>
</DIV>

CONTENT;
heredoc will take care of everything for you. it starts with "<<<" follows a heredoc block identifier (CONTENT in this example). Ends with same block identifier name and a semicolon.
Heredoc ending block identifier must be at the most left side of the line. No space(s) or tab(s) before it. Identifier must include only alphanumeric characters and underscore. Must begin with a non-numeric character.
You want to use some dynamic content inside the block? No problem, use your php variables inside curly brackets:$html_code = <<< CONTENT
PUT ANYTHING HERE
I mean <anything>
http://www.{$domain}.{$tld}
<img src="{$img_name}.gif">
<FORM ACTION = 'mypage.php'>
<DIV>
{$staff->name["barney"]}
</DIV>

CONTENT;
Thats it for now, I hope you find these useful. I may come up with something more in near future.
Comments and corrections are welcome :D

Nice guide, I especially liked this one (above), will help me alot.

Cheers
Craig.

Thanks! I was especially wondering about the header one.