SQL-injection vulnerabilities due to incorrect usage of mysql_query()
This might be a controversial opinion, but I belive that it's a mistake to use the old family of mysql functions. These are the family of functions prefixed with mysql_. There isn't really anything wrong with them as long as you use them correctly, but unfortunately I've found that most of the time they just aren't used correctly. The end result is that we have sites all over the internet vulnerable to SQL injection.

A better choice is to use an API that supports prepared statements, which solves this problem completely. MySQLi is such a family of functions, and for security purposes it's fine. However, I believe that the API is a bit of a pain to use. The main basis for that opinion is the fact that you simply cannot retrieve the result of a prepared statement as an array.

The best option is to use PDO. It's a modern database agnostic wrapper that supports flexible prepared statements and results in modern, safe and readable code. It's a joy to work with.

We should all stop teaching beginners the old functions and show them how to use and become comfortable with PDO from the start.

That's it for now

• Don't use regex (preg_match, etc) for simple string searches.
• Turn on error_reporting(E_ALL | E_STRICT); in development.
• Separate your damn presentation from your damn logic, better yet, use a standard templating system.
• Weak-typing is a double-edged sword. Avoid exploiting it liberally.
• Clean all user input via casting, escaping, appropriate functions etc.
• Did I say clean all user input? Really, it boggles me how often this gets passed over.
• Check the library before writing ridiculous functions. It's full of its own ridiculous functions.
• If writing anything resembling a library, be consistent with parameter order ("is it haystack/needle or needle/haystack?").
• define is your friend. Please don't make me hunt for silly literals in your code.
• Unless you're using register_shutdown_function, die / exit is usually a very bad and ungraceful way of handling errors, especially in production. Even still, you're probably making it more complex than it needs to be.
• You're writing a wrapper class for an existing library compiled as part of PHP (i.e.: db interaction). Stop. You should probably use a Pear class.
• Format your code (yes, really).
• Format your code consistently.
• Don't write code like this: if ( condition ) { return true; } else { return false; } or $variable = condition ? true : false; just assign the conditional directly (this applies to any language).
• Use an opcode cache (APC or an equivalent thereof).
• Use a distributed object cache when appropriate (ala memcached).
• Be aware of type coercion: it will bite you. For example, "-" == (int)"-" is true.
• POST when you should POST, GET when you should GET.

take a look

• Let's make the web faster
• 21 Tips to Make Your PHP Code Better
• 50+ PHP optimisation tips revisited