global variables, undeclared variables, and variables that are sent with post, get, cookies(basicly from the client to the server) would be the first thing an attacker will look for. It is highly recomended to never use global variables unless you really really really need to. If you do these methods you must check the variables really well.
For example, even if your variable is only used to grab an image(or just display the image name) and post it, you are running the risk of XSS attack. This was a huge problem with PostNuke, EasyNews php, webalizer, GNU Mailman, mp3 files and all sorts of programs out there. This type of attack isn't limited to images, really anythign that is posted.
(just wanted to provide an example of how dangerious user variables can be)
As till said, dont worry about changing your code if it works. I am currently going through the code, with time permitting , to help secure it.
Awesome work though. Thank you so much for doing that. If you need any help I am more then happy to help.