there are 2 major security risks/mistakes people make,
register_globals On and allow_url_include On
from the php.ini files i have seen people use to over ride the local register_globals On setting, most then go on to put allow_url_fopen On and then not knowing what allow_url_include is, they think its the same as allow_url_fopen and turn it on.

allow_url_include On is as dangerous as register_globals On

If the server is running SuPHP you have to make a copy of the php.ini file and edit it see more making sure it has:
register_globals = 0
allow_url_include = 0
allow_url_fopen = 1

If the server is NOT running SuPHP you can place the following in the .htaccess file:
php_flag register_globals off
php_flag allow_url_include off
php_flag allow_url_fopen on

If the server is running SuPHP DO NOT try the .htaccess methord as it does not allow you to override php via .htaccess

apply this security patch if you want to make sure you have added protection

edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories.

Remember although this covers security issues locally on your servers site level, if the master setting are on, you are not 100% safe as a hacker can still get to your site if they hack the server above the account level.

the safest option, move to a host thats setup for Dolphin and know what they are doing.