First and foremost, XSS (Cross-site scripting).
alert('Buy cheap viagra!');
You should watch out for none-persistent XSS too; I can inject code into a get variable and send it to someone and use your site to hack them by proxy.
XSS can usually be solved by a few well placed htmlentities().
Second big problem - SQL injection. User inputs a string like..
" AND A=B; --
..into your login box to bypass your password check. Or, if they want to be destructive...
"; DROP TABLE users; --
As you can see, this is quite bad. Solution is simple: wrap any user input used in a query with mysql_escape_string. Remember that even uploaded file names can be used to inject sql strings with minimum difficulty. I think it goes without saying not to pass SQL statements via user input.
Another hack to watch out for; using user input for filenames/urls/filepaths etc. If you were to say, fopen() a textfile via get variable with a url like:
Someone could feed it..
...to get your database password. Seriously, do not mix user input with fopen, include, file_get_contents or even imagejpeg. People still make this mistake.
While we're on the subject, file uploads count here so use basename(). In theory I could upload a file called ..%2Findex.php to overwrite your index page. %2F is a url entitiy for /, which isn't allowed in filenames.
It is also possible to steal peoples' cookies, and therefore their sessions, so make sure that cookies expire within a reasonable time frame. Otherwise you may have someone logged into your control panel that you really don't want there.
Basically user input is the devil and should be treated like the source of a bomb scare. Backslash-escape, typecast and generally validate to hell.