rocknbil - 8:01 pm on Mar 4, 2010 (gmt 0)

if(!preg_match("/^[0-9]+$/", $userInput))

Not picking on you, honest. :-) True this will match on an integer, but in a working scenario unless there's a possibility "$userInput" will be zero, just as easily validated by

if ((! $userInput > 0)) {

I think for PHP coders this one's pretty important, as well as rampant:

Error Message Information Leak

If you have error reporting on, the first thing that happens in an error condition is the server path gets revealed . . .

[You screwed up] at line 285 in /var/www/hosts/example.com/httpdocs/script.php

Second is this.

msql_query($select) or die(mysql_error());

Which can not only reveal server path info but also database structure. Both of these are very convenient but they are also very deadly.

// Change to 1 ONLY when debugging/developing
$show_err=0;
msql_query($select) or error_func("Cannot execute query at some marker", mysql_error(), $show_err);

// $report_flag determines whether or not to display 
// mysql errors. A case where you would allow it, 
function error_func($generic_err,$db_err,$report_flag) { 
 header("Content-type:text/html"); 
 echo $generic_err; 
 if ($report_flag==1) { echo $db_err; } 
 exit; 
}