Stefan Esser points out a new patch today - CORE GRASP - from the Core Security Technologies group that provides taint support surrounding the mysql_query function.

Their implementation adds a tainted or not flag for every byte so that it is possible on invocation of mysql_query() to determine any kind of injection.

Unfortunately, Stefan also mentions two big issues it might have from the get-go: the overhead for the memory needed can slow things down and an incorrect parsing in their query handler could lead to injection attacks.

Frustrated with the lack of something simple (like mysql_fetch_assoc) in the new mysqli extension, this new function was created an posted about on the Internet Super Hero blog - mysqli_stmt_get_results.

By help of the new function, you can create a mysqli_result object from a statement that returns data (SELECT and other - version dependent!). Then you can use the mysqli_result object to process the returned data: fetch results, access meta data - all you can also do using a mysqli_result object returned by mysqli_query().

Included in the post are a few code examples showing the simplicity of the function and how it can still be used with the standard mysql_* functions to grab the results.