1) First, you have to protect your users. I'd say there are three things to worry about here:
- SQL Injection. "Little Bobby Tables". This one is easy - use bind variables for all sql, and don't -ever- have dynamically interpreted sql with user inputs.
- Cross Site Scripting ("XSS"). This one is harder. If you ever display something to one user that could have been entered by another user, user b can own user a with some html. It's very hard to check for bad html because it can be disguised in various ways. A whitelist filter of allowed html is safer than a blacklist, but you still have to manage to consistenly scrub input.
- The fact that passwords are essentially inadequate, but it's hard and/or expensive to come up with anything better. So force decent passwords, remind your users not to give them to their friends, and anticipate there will be some level of "my angry ex boyfriend deleted all my stuff" support requests so history logs of important actions and the ability to roll stuff back will be useful.
- There *are* more types of things that can be done ("clickjacking", "sidejacking", dns poisoning) but I think the above cover most problems you really need to plan on.
2) Next, you have to protect your game.
- Malicious users. It's particularly easy to be a malicious user with HTML - the web app provides a nice form variable "itemid=12", I can change it to "itemid=1", poof I have your super wizard staff. You can't trust your users, ever, so write your app so that impossible things aren't permitted.
- Bots - if there is any instance where user activity is rewarded, somebody will find a way to automate it. It's a problem from a purely technical server load perspective, and it's also a problem from an upsetting good users viewpoint. Good luck here.