The most common security issues on a website built with PHP is the weaknesses in the use of the function include().
A common approach taken by a hacker may be that by experimenting with GET parameters detect vulnerabilities that are often related to how the website in question uses the function include().
When such a problem is detected, it can be used by sending in specially designed GET parameters fool the website to load PHP pages from other servers.
A PHP page that is loaded from another server could contain anything, for example it may be a page where you could upload whatever you want to any directory within a website. It could for example be a phishing site that steals login information. You can read more about phishing here.
The person who is carrying out the attack then sends email to many email addresses (making a spam mailing), puts the sender to something that looks official website of the attack and includes a link to the hijacked home page. Often with a message that you need to log in to edit your contact information or something like similar.
Because the page you come to when you click on the link looks like this websites login page many people are fooled to login. They want to change their password, as it stood in the e-mail they received that they had to do.
The fake login page will save login information and will mail them off to an e-mail address that the person who created the phishing site reads. He will now have access to a lot of real logins at the website and could use these for example emptying bank accounts.
An example of the PHP include problem.
If you have a website, http://www.mindoman.se and a page called index.php with the following contents:
<html> <body> <?php include($_GET['page'].".php"); ?> </body> </html>
A visitor could now watch http://www.mindoman.se/index.php?page=/exploit.txt.
Let us say that it is PHP code on http://www.dangerous-site.com/exploit.txt.php, for example the code for an upload site. When you visit the URL above this code will be visible. If you use include in this terms, it means that the page is loaded from www.dangerous-site.com but running on www.mindoman.se.
The visitor should now be able to upload files to www.mindoman.se through the upload site. Of course it must not be an upload site, it could as well be something else. Perhaps a page that replaces the index.php, remove / change something else on the website, or uploads a phishing site.