As of php 5 no longer use mysql_blah Now use functions mysqli_blah See url
http://us3.php.net/manual/en/ref.mysqli.php Using these funtions is much more secure than mysql. and they benchmark for more indepth queries. But a major reason to use them is you can do more OOP object oriented programming, and you can release the arrays formed from memory at the end of the function.
Check this out on ZEND.
http://www.zend.com/php5/articles/php5-mysqli.php You will notice there is no more mysql_db_select; The db is in the mysqli_connect‹›; function. This it seems was a security hole. If you did not specify a db it would open a connection to a default. BAD times.
Now I also learned a nifty little trick. We all know not to accept data from a user as being clean. We have to check it. So you probably use
$my_var = $_POST[my_var]; // for post methods
$my_var = $_GET[my_var]; // for get methods
But just because we know where it came from does that make it safe? We could use
strip_tags‹›; or
htmlentities‹›; But check this out. At the top of your code verify all veriables you know are coming in and try to make as many as possible integers.
$my_var = ‹int›$_GET[my_var];// 100% safe variable
Now even if the user take the URL and changes it my script will convert anything it gets to an integer. So if the attacker took
http://bougus_site.com?myfunction=process&my_var=2134 and changed it to
http://bougus_site.com?my...=phpinfo‹›; My script would convert this to an integer making $my_var = 0;
so if you build your scripts so they all used integers and set it up so no integer should ever be "0" then you could detect when and who is messing with the URLs easily using sessions and some predefind variables.