I’m finishing up my first “real” PHP application and I am trying to make sure it is secure. I’m kind of afraid that since I’m not an “expert” PHP programmer that I might be missing something huge, so I would like to give you some information about my application and hopefully you can tell me whether or not that is the case. So here we go:

• I’m using a CMS to handle user authentication, so I don’t have to
  worry about that.
• After discovering PDO shortly after starting work
  on my application, I ported all of my code over to using prepared
  statements with PDO.
• I am escaping all form and database data (even stuff I think is safe) which is being output with htmlentities().
• My application does use a session variable and cookie variable, but the function of both is very unimportant.
• I have designed my form processing functions in such a way that it doesn’t matter if the form were somehow altered, or submitted from off-server (i.e. I always check the data submitted to ensure it’s valid).
• I have done my best to make all error messages and exception messages polite but very obscure.
• I’m forcing pages with sensitive information (such as the login page) to be served over https.

When I first starting writing my application, I didn’t know about prepared statements, which is kind of a huge deal. Have I missed anything else?