The most important threats are the ones that attempt to access the backend, like database. SQL injection is on top of the list; the check you need to do is to make sure that the user input is not directly fed into the string for a dynamic query; the user input is anything that is coming from the client; even if the user is not able to edit it in the form or on the browser, imagine that they can intercept the traffic leaving their browser and inject anything into any field. So always keep in mind: "do not trust input coming from client".
So by not trusting the user input, now you have to validate every input; for SQL injection, you need to scrap any character that is not accepted; e.g., if the user is supposed search a number, do not accept anything except a combination of 0-9 to a certain length; remove the rest and then feed it into the query. It is a good idea to avoid dynamic queries altogether and use parameterized queries and stored procedures in the database.
The next top attack is injections that can target other users; like XSS. The story with XSS is similar to SQL injection, you should not trust user input, and do a whitelist validation upon receiving any input. In general, client side checks to make sure the format the user typed the data is not enough, and everything must be rechecked again at the server side.
You have to pay extra attention to authentication part; username and password entry seems like an easy functionality; it is not. You need to make sure upon successful login, a new session value is generated, and set at the client's cookie. You also need to make sure for the rest of the time the user is logged in, this session is not exposed over HTTP; i.e., you got to go over SSL. The session must be random, long enough, and non guessable. Most of the programming languages can take care of that; do not reinvent the wheel. Make sure the session has Secure and HTTPOnly flags set; and make sure it gets expired after an idle time or manual log out. Password reset and change are also very sensitive functionalities; which needs a long post to discuss.
A very important part is authorization. Once a user is authenticated, it does not mean you are done; each user should only access certain pages or data; thus every request must be checked at the server side to prevent privilege escalation.