Some humble suggestions:
- Rating of 0 - Listing things by (and with) the total number of downloads recorded, instead of the number of downloads this week - Use input abstraction functions such as get_param($param[string],$type["integer"|"string"|"html"|"float"],$required[boolean]); and post_param([same args]); to make injection prevention much easier and more standard.