Besides variables coming from query strings ($_GET), posted form data ($_POST), and cookies ($_COOKIE) you should treat session variables as tainted too if your site is on a shared host.
If you have used Perl you probably have heard of tainted variables - they are variables that come from user input and as such shouldn't be trusted. The only way to untaint a variable in Perl is to use a regular expression to extract a value out of it.
It doesn't matter what language you are using to build your scripts you should never trust user input.
If your site is on a shared hosting service that probably means that other people may have the ability to open your files and get sensitive data out of there.
What's more if other sites on the host share the same domain - your site is reachable under a directory which is different from the root, cookies shouldn't be trusted. Not that it is a good idea to trust cookies but other people on the hosting service may generate sessions that will be valid for your site.
The superglobal arrays
$_GET... are available since PHP 4.1.0,
for previous versions of PHP the equivalents are the $HTTP_*_VARS.
I didn't mention the case when you're using
register_globals = on,
because that implies that you don't care about security at all.