10 should be the most important. Poorly written scripts can lead to an SQL injection attack with little effort from the wrongdoer.
Also, be sure to test your scripts well. Put yourself in the place of a hacker, it is better you find any flaws before they do.
You are going to have to properly validate user input regardless. And magic quotes have to do with the way the server is set up, so it all depends on what settings your hosting provider has set up. PHP 6 is phasing out magic quotes completely.
Edited by dserban, 18 August 2007 - 10:29 AM.