Thanks for those, I am happy that I could experience some of those before, though.
The client is in the hands of the enemy. Never blindly accept whatever is sent back from the player, i.e. when you're having the player move around, don't just have the player send you his or her new location and set that.
That's something that is obvious to me (luckily), so I try as hard as possible to secure things down. Ofcourse, I won't be able to make it 100% enemy-protected, but I wish I can get it to some proper level.
Sanitize your data. Run it through a MySQL character escape going into the database and the reverse when retrieving it. The same applies to accepting and displaying any text the user inputs in a webpage, lest you create XSS (cross-server scripting) vulnerabilities.
Again, luckily I spent some time reading about websites' vulnerabilties, so I know those popular terms like XSS, mySQL injection, most common PHP vulnerabilities like injecting your own code. I hope that will let me protect the whole thing to some extent.
* user data server - stores user login information (be sure to encrypt passwords and store only the hashed passwords, you don't have to decrypt them, just make sure whatever password a user sends hashes to the same value, thus no plaintext passwords)
Another thing I lately read about, I sent you a PM with few questions. I hope you don't mind answering them.
* web server - hosts the pages the player will use to connect to and interact with your game. Even if you're making it Flash based, you might want to make things like user account management be separate pages rather than all done through the game.
Yes, account management ( like previewing your in game characters ) is a thing I thought about, but I think I'll leave it for now.
In general, you've mentioned a lot of different servers, while my project is aimed to be minimalistic for now, and I will have to stick with two "servers" running in one machine. (Website handling [apache/nginx] & game server [coded in Go])
Making that many servers would take too long, I think.