obsidian, apologies if this is covering what you were getting at.
in my opinion, $_GET, $_POST and $_COOKIE (GPC) are the three to really be super-paranoid about if you want a secure site, as they're the 3 php superglobals that primarily deal with input from the user.
if you're not doing some sort of processing, no matter how simple the script is, on these three, then you're asking for trouble as either can be exploited with certain code to either make your script act erratically or reveal/do things that you don't want. whilst 'SQL Injection' is mainly aimed at people dealing with mysql databases, the principles involved and the methods to cut out injection relate to scripting whether you use a database or not.
if your system is kinda like a templating system, then use an array/mysql/flatfile system to store and retrieve the information you need rather than allowing a user to get 'straight to the heart' of your code'. so if you had a templating system, you might have something like:
$module = $_GET['action'];
$all_actions = array('thisone'=>'thisone.php',
echo 'get out of here!!!!!!';
obviously there is more to consider, like checking for invalid characters in the URL parameter, but what the above does is puts a barrier or two in between the user and the script.
from my old college teacher:
a bouncer at the door of a night club will stop most under-age drinkers getting in, but there's always one that can get through. put an extra one or two on the door, who all ask for age identification, and things get much harder for them. it's not much different in web security. stop everything that comes through, check it thoroughly, etc, and maybe your site won't get shut down like a club that lets under-age drinkers in.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."
I say old chap, that is rather amusing!