I have read that to prevent SQL injection, all MySQL statements should actually my mysqli and parametered. The above code connects to a database, selects a random 'verbs' row, and then takes the cell that intersects the 'verb' row and the def column (the definition of that verb) using mysql_fetch_assoc.
What changes would make a random query safe from injection?
$user_name = "name";
$password = "password";
$database = "words";
$server = "host";
$db_handle = mysqli_connect($server, $user_name, $password) or die (mysqli_error($db_handle));
$db_found = mysqli_select_db($db_handle, $database) or die (mysqli_error($db_handle));
$randVerb = mysql_query("SELECT * FROM verbs ORDER BY RAND() LIMIT 1");
$db_field = mysql_fetch_assoc($randVerb);
$definition= $db_field['def'];
SQL injection can be only in queries uses some variables given from client. You don't have any here, so the query is safe
There is nothing in SQL that is inherently dangerous to injection. The idea of sanitizing (or making a query safe) is when you're running a query based on some user input variable.
Like for example, someone is logging in. you would have a query like
SELECT COUNT() FROM `users` WHERE `user`='$user' AND `pass`='$pass'
which means if $pass="' OR 1=1--";
they would login as the first user in the database. So, you need to sanitize your variables before using them in your query (basically you're escaping quotes when sanitizing SQL data). Which is why PHP says to use mysqli instead of mysql.
You have to use mysqli or PDO because mysql_* is deprecated and it'll be removed in a future version of PHP!
Your code is safe, because you don't use any parameters.
One example for BAD code:
mysql_query("SELECT * FROM verbs WHERE id = ".$_GET['id']);
If you want to use parameters in your query use prepared statements! This is a quite good tutorial: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers