Security is a very important aspect of any web application. Your site and your users/visitors can be compromized in various ways, by an attacker. Below I will report some of the most common attacks that a site or a web user can suffer.
SQL injection
The attacker enters SQL commands in places like search boxes, login forms, and even directly to the URL bar.
XSS(Cross site Scripting)
The attacker injects malicious scripts and sends them to different users. (e.g. to social media sites)
LFI/RFI(Local / Remote file inclusion)
LFI: The attacker targets include parameters in PHP and requests an alternative file to be used in the specific request.
RFI: The attacker asks the victims server to go somewhere else on the internet to find a dangerous script, and the runs it from that location.
Brute Force Attacks
A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response(via bots). The attacker may use a dictionary attack or a traditional brute force attack, which consists of predifined classes of characters.
DoS(Denial of service) / DDos(Distributed Dos)
They are the same attacks only DDos is bigger.
The attacker is using one or more computers(maybe thousands) probably compromised, to flood the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some legitimate request from being fulfilled.
CSRF(Cross Site Request Forgery)
The attacker is a 3rd party site which issues requests to the target site, using the victims browser with its sessions/cookies.
MIMT(Man In The Middle)
The attacker secretly relays and possibly alters the communication between two parties who believe the are directly communicating with each other.
Spoofing
One person or program successfully masquerades as another by falsifying data.