You can run a vulnerability assessment on your own site with tools like Grendel-Scan (open sourced and free
In order to secure the site, you should be validating ALL inputs. Now, what does that mean exactly? It's a very wide range of sanity checking. If it's going into the database SQL syntax keywords and characters need to be watched very closely ( things like: ' " OR = /* # -- and even words like UPDATE, DECLARE, CAST can be dangerous). For simple XSS attacks running the input through htmlentities() is generally a pretty safe methodology.
There are far more things to do than this, however; because it would take ages to write out a 'full' list.