thanks for the useful tips.

1-md5 is weak encrypt.use sha1().

2-just use ssl for avoide spoofing sensetive data.(https:// insted http://.dont) use ssl just for login page.use ssl for all page.

3-Why File Upload Forms are a Major Security Threat. good link:
http://www.acunetix.com/websitesecurity/upload-forms-threat/

4-test yor application by some tools.for example acunetix(http://www.acunetix.com)

5-also good intruduce vulnerability in https://www.owasp.org/

regard

Validate all user input <– fails to provide examples…

Cross site scripting <– gives no mention to where it is required and how to make it safe, just says its bad and to prevent it…
Always name your file as only .php <– what! lol how is that security?

SUPER_SALTY <– obscurity not security… with or without is the same security wise…

Protect against CSRF <– using a hidden input token is not secure, its shown in the source! instead use $_SESSION to prevent CSRF.

The Session <– articles explains what it is not how its a security threat or offer any examples of preventing security risks…

Store sessions in database <– explained the threat is that the session is stored on the server but so is the database… instead use your .htaccess to prevent casual browsing to the files location.

Force single session <–redundant unless you also find a way to prevent multiple tabs on the same session.

There were some good tips but overall this article should be taken with a grain of salt, there are many better written and comprehensive articles available on securing your PHP application.

This decision leads to many security issues especially for sites taking advantages of the above features.