Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good and worth checking out.

If you're lazy and just want the seven here it is. (I'm such a nice guy)

* Unvalidated Input Errors
* Access Control Flaws
* Session ID Predication
* Cross Site Scripting
* SQL Insertion
* Error Reporting
* Data Handling Errors

Article Link: Top 7 PHP Security Blunders (SitePoint)