Today, I discovered a nice PHP thing: Munin. This is a PHP version of Apache mod_security, allowing it to be run on IIS too. Munin performs rule based checks on HTTP headers, get and post data, ... The standard rule set disallows some things like path traversal and possible fopen() attacks.
In addition to these rulesets, one should add some more for filtering out SQL injection attacks, cross-site script loading, ... These things should already be covered in your code, but an extra filter at the front door is always nice.
You also get a nice control panel in which you can check rules that have matched and thus might indicate possible misuse of your website. You can also manage rules in this front-end.