How to make PHP site Hack Proof

There are several. Among others: "Never trust user input". (You have to handle it of course, but you need to sanitize it before you let it loose in the system). For instance, instead of saying "update mytable set user_item = $form_3" , make sure that $form_3 is quoted correctly to avoid SQL injection attack. (Imagine that the user had typed in "doofus; drop table if exists mytable")

To be clear, The only website that is hacker proof is google.
and thats only because they have tens of thousands of employees.
being an ex-hacker (I only hacked my own stuff btw)
You not only need to prevent any user input hacks.
but on any user input forms do the following:
Prevent sql-injection
make sure they are coming from correct page
do NOT have any source code that obviously points to code.
- use javascript to print innerhtml all over the place
- it doesn't make it any more 'hack-proof' but it will annoy the hell out of the hacker and they won't bother after 5 seconds of viewing the source code.
use https where possible
use false links
-header as follows on food site

<?PHP include ('connections.php');
include ('menulist.php');
include ('bgimage.php');
include ('database.php');
include ('ingredientsearch.php');
?>

have them all look authentic but bgimage.php can contain your connect info.
HARD CODE THESE FILES
Convert to binary
HARD ENCODE ALL PUBLIC SITES
don't use links like index.php, main.php, menu.php
use lkj98234nf.php
install internal hacker prevention
- i can delete most sites with a mouse click and very fancy software.
- I have only deleted my own sites, I don't act illegally btw.
make sure if you send trojans to external hacker intervention don't make them so annoying that they wage war on your site. you won't win

hope this helps :)
don't feel inclined to go this deep though. it will be easier just to re upload your site for the once every ten years this might happen. just make sure you back up your site and database regulary :) :)