mysql_real_escape_string() does need the database link (2nd argument) specified in order to deal with all character sets properly.

Personal tip: put the mysql_escape_string() and similar inline to the SQL statement. That way you are sure it was done. It's too easy to forget higher up in the code and then insert unescaped data.

$sql="INSERT INTO `x` (`a`,`b`) VALUES ('".mysql_real_escape_string($_GET[sessionid],$db)."',".intval($_GET[userid]).")";

When you've already converted something to an integer (int) or intval() function, then you do not need to use mysql_real_escape_string (key is in the word 'string'). An integer is safe. Personally, I just use intval() around the variable. ' ' quotes are not required or recommended around integers (speed issue) although they are essential around strings. Don't forget ` ` is recommended around all table names and field names.

Be sure that magic_quotes_gpc is off.

You do not need to escape after a SELECT, the only security risk there is if you are somehow executing the database results as a PHP command; most usually through the command eval(). Do not use eval() on database results unless you are 100% confident they are controlled (i.e. entered by you or generated by PHP rather than the end user).

(2nd argument)

Where do I find this?

Be sure that magic_quotes_gpc is off.

Where can I check if it is?

You do not need to escape after a SELECT, the only security risk there is if you are somehow executing the database results as a PHP command

What is the escape after a SELECT?

How can I tell if I'm executing as a PHP command? The code is written in php..

I do not see any references to eval() in my code so I don't think I'm using it.

Sorry for these extremely stupid quesions, but I'm hardly familiar with php, and even less so when it comes to mysql.