How can PHP be used to create secure web applications?
Here are some tips to create secure PHP web applications:
1. Use prepared statements and parameterized queries to prevent SQL injection. Never concatenate user input into SQL queries.
2. Validate and sanitize all user input. Use PHP's filter_var() function to validate data types and sanitize strings.
3. Use encryption and hashing functions to protect sensitive data. For example, use PHP's password_hash() and password_verify() functions for passwords.
4. Use PHP sessions to maintain state and protect from CSRF attacks. Regenerate the session ID after user login.
5. Escape all output to prevent XSS attacks. Use PHP's htmlspecialchars() or htmlentities() functions.
6. Use PHP's PDO abstraction layer for database queries instead of the outdated mysql/mysqli extensions. PDO has better security features.
7. Keep PHP updated to the latest version to patch any vulnerabilities. PHP 7+ has many security improvements over older versions.
8. Don't trust $_FILES or $_GET arrays for uploaded filenames. A malicious user could upload a .php file with a spoofed extension.
9. Use a security-focused framework like Symfony or Laravel which handle many best practices for you.
10. Follow the principle of least privilege. Don't run your PHP application as a superuser. Limit file permissions as much as possible.
11. Use password protection, SSL, and limit access to sensitive files on the server. Don't leave them publicly accessible.
12. Stay up-to-date with PHP security best practices. The PHP security documentation has more tips.
Now please create example web application using PHP.
I'll provide a simple example of a web application using PHP. This example will demonstrate a basic registration and login system. For brevity, I won't go into detail about securing every aspect of the application, but I'll point out some important security practices.

Create a file called `config.php` for your database connection:

```php
<?php
$servername = localhost;
$username = your_username;
$password = your_password;
$dbname = your_database_name;

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die(Connection failed:  . $conn->connect_error);
}
?>
```

Create a file called `register.php` for user registration:

```php
<?php
include('config.php');

if ($_SERVER[REQUEST_METHOD] == POST) {
    $username = filter_var($_POST[username], FILTER_SANITIZE_STRING);
    $email = filter_var($_POST[email], FILTER_SANITIZE_EMAIL);
    $password = $_POST[password];

    if (empty($username) || empty($email) || empty($password)) {
        echo All fields are required.;
    } else {
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);

        $stmt = $conn->prepare(INSERT INTO users (username, email, password) VALUES (?, ?, ?));
        $stmt->bind_param(sss, $username, $email, $hashed_password);

        if ($stmt->execute()) {
            echo User registered successfully.;
        } else {
            echo Error:  . $stmt->error;
        }

        $stmt->close();
    }
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>Registration</title>
</head>
<body>
    <h1>Register</h1>
    <form action=register.php method=post>
        <input type=text name=username placeholder=Username required>
        <input type=email name=email placeholder=Email required>
        <input type=password name=password placeholder=Password required>
        <input type=submit value=Register>
    </form>
</body>
</html>
```

Create a file called `login.php` for user login:

```php
<?php
include('config.php');
session_start();

if ($_SERVER[REQUEST_METHOD] == POST) {
    $username = filter_var($_POST[username], FILTER_SANITIZE_STRING);
    $password = $_POST[password];

    if (empty($username) || empty($password)) {
        echo All fields are required.;
    } else {
        $stmt = $conn->prepare(SELECT id, username, password FROM users WHERE username = ?);
        $stmt->bind_param(s, $username);

        if ($stmt->execute()) {
            $stmt->store_result();
            $stmt->bind_result($id, $username, $hashed_password);

            if ($stmt->num_rows > 0) {
                $stmt->fetch();
                if (password_verify($password, $hashed_password)) {
                    $_SESSION[loggedin] = true;
                    $_SESSION[id] = $id;
                    $_SESSION[username] = $username;
                    header(location: welcome.php);
                } else {
                    echo Invalid username or password.;
                }
            } else {
                echo Invalid username or password.;
            }
        } else {
            echo Error:  . $stmt->error;
        }

        $stmt->close();
    }
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
    <h1>Login</h1>
    <form action=login.php method=post>
        <input type=text name=username placeholder=Username required>
        <input type=password name=password placeholder=Password required>
        <input type=submit value=Login>
    </form>
</body>
</html>
```

Create a file called `welcome.php` for the welcome page after a successful login:

```php
<?php
session_start();

if (!isset($_SESSION[loggedin]) || $_SESSION[loggedin] !== true) {
    header(location: login.php);
    exit;
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>Welcome</title>
</head>
<body>
    <h1>Welcome, <?php echo htmlspecialchars($_SESSION[username]); ?>!</h1>
    <p><a href=logout.php>Logout</a></p>
</body>
</html>
```

Create a file called `logout.php` for user logout:

```php
<?php
session_start();
$_SESSION = array();
session_destroy();
header(location: login.php);
exit;
?>
```

Make sure to create a users table in your MySQL database with the following structure:

```sql
CREATE TABLE users (
  id INT(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  username VARCHAR(50) NOT NULL UNIQUE,
  email VARCHAR(50) NOT NULL UNIQUE,
  password VARCHAR(255) NOT NULL
);
```

Please note that this example is a simple illustration of a PHP web application and may not be fully secure. For production use, it's crucial to follow security best practices, including validating and sanitizing user input, using prepared statements, and implementing proper session management, as mentioned in the previous answer.