See Security techniques every programmer should know for a good overview of cgi security problems.

If you really want to be sure of your cgi security, you will need to run your own server. All the people with root access on your hosting service, can read(and temporarily modify) your script, not to mention government people who now legally can inspect your operation (part of the anti-terror stuff). Do you really trust all those people?

Thats why web-store farms are becoming so popular. Why take the risk yourself to handle all those cc numbers and private info, when yahoo or someone, will do the scripting for you, and has a bank of lawyers to defend themselves when things go wrong.

The sad fact is the people running the OS on your hosting server, control your security, by being diligent about applying security patches, screening employees with physical (and root) access to the server(s).

All you can do, is take standard precautons, like filtering NULL bytes, avoid using world-writable files and directories, never allow user-priviledge escalation, using ssl where passwords and private info is passed, etc. That is called "due diligence" in legalese... and means you won't be held negligent if things go South. Protect yourself.

Think about what would happen if your database files get stolen. People will blame you, you will blame the server operator for lax security, and it will all get complicated fast. Almost all of the time, the exact hole will never be proven, and it will get blamed on some truck driver for losing a box of backup tapes.

The government, who is supposedly fanatic about secrecy( at least certain departments), will have the servers locked in rooms, under constant video surveillance, and electromagnetically shielded. You mean your hosting service dosn't have that? Oh.... you are wide open to the right people.

</voice of doom and gloom>