As of php 5 no longer use mysql_blah Now use functions mysqli_blah See url

http://us3.php.net/manual/en/ref.mysqli.php

Using these funtions is much more secure than mysql. and they benchmark for more indepth queries. But a major reason to use them is you can do more OOP object oriented programming, and you can release the arrays formed from memory at the end of the function.

Check this out on ZEND.
http://www.zend.com/php5/articles/php5-mysqli.php

You will notice there is no more mysql_db_select The db is in the mysqli_connect‹›; function. This it seems was a security hole. If you did not specify a db it would open a connection to a default. BAD times.


Now I also learned a nifty little trick. We all know not to accept data from a user as being clean. We have to check it. So you probably use

$my_var = $_POST[my_var]; // for post methods
$my_var = $_GET[my_var]; // for get methods

But just because we know where it came from does that make it safe? We could use strip_tags‹›; or htmlentities‹›;

But check this out. At the top of your code verify all veriables you know are coming in and try to make as many as possible integers.

$my_var = ‹int›$_GET[my_var];// 100% safe variable

Now even if the user take the URL and changes it my script will convert anything it gets to an integer. So if the attacker took

http://bougus_site.com?myfunction=process&my_var=2134

and changed it to

http://bougus_site.com?my...=phpinfo‹›;

My script would convert this to an integer making $my_var = 0;

so if you build your scripts so they all used integers and set it up so no integer should ever be "0" then you could detect when and who is messing with the URLs easily using sessions and some predefind variables.
_________________________
My New site OpenEyes