open_basedir should be enabled and correctly configured

Set register_globals Off
This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This is an important setting to turn Off.

Use disable_functions to disable dangerous PHP functions that are not needed by your site

Disable allow_url_fopen
This option enables the URL-aware fopen wrappers that enable accessing URL object like files.

Set magic_quotes_gpc On
This will prevent SQL inject.
When on, all ‘ (single-quote), ” (double quote), (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does.

Set safe_mode On
By enabling safe_mode parameter, PHP scripts are able to access files only when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files (e.g. /etc/paswd) and adds many restrictions that make unauthorized access more difficult.

Set save_mode_gid Off
When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.

open_basedir should be enabled and correctly configured
When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

safe_mode_exec_dir should be enabled and correctly configured
When safe_mode is turned on, system(), exec() and other functions that execute system programs will refuse to start those programs, if they are not placed in the specified directory.

Example
This is an example for the above suggestions:

register_globals = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = Off
magic_quotes_gpc = On
safe_mode = On
open_basedir = /var/www