MySQL is secure enough. Just make sure it's not directly reachable from the outside network - local connections only, get a good firewall. Again, your hosting provider should have this configured already. Ask them.

A good read for web security is the OWASP guide.

Some quick other hints:

Always use taint mode, strict and warnings for CGI programs. really, use all of them.

Try to use placeholders when using DBI and when you can't, use $dbh->quote().

PS: Not a technical book, but the best book on security I've read is 'Secrets and Lies' by Bruce Schneier, an eye-opener that made me realize security is not some technical specification.

You can build a secure program in any language. (and you can build complete crap in any language, too.) Some languages are just easier than others, if they make assumptions about how things are done, and that's how you're trying to do it. (now, when you try to override those assumptions, somes it's just easier to use a different language).

I wouldn't recommend learning a whole new language, if that means you're going to need to learn a whole new set of security considerations.

mySQL is very powerful, and with InnoDB, can support transactions, which may be necessary depending on what you're trying to do. Yes, there is lots of things that you can do in Oracle (triggers to do referential integrity checks, etc.), but those are quickly being added to mySQL. Look at what features you need for your design, and see if the database can support it -- Oracle specifically makes money by their 'we do everything' so that managers will fear that they might be missing out on something, and buy the absolute biggest, most expensive thing they can. Besides, if you're going to pay for Oracle, you'd be bottlenecked by Windows, so you might as well go with MS-SQL or something else cheaper.

I would suggest putting as many of the constraints as you can within the database, rather than just in the CGI script. (I would actually put them in both places, unless it would adversely affect your execution time, because it's easier to give good messages back to the user).

But of course, most important is what Joost already said -- use HTTPS. Depending on the host, you might have to buy an SSL cert, but it's worth it, just in keeping from taking phone calls about why someone would have to accept your self-signed cert. (a larger webhost might have a wildcard cert, so you won't need to buy one yourself, but you'd have to use their domain name). And use bind variables. And don't trust any of the input to be clean.

As for books -- I haven't found any that I particularly cared for. Too many of them seem to be vanity press... That's not to say they're not out there, but I've given up reading them.

A lot of what I would say has already been covered by other comments, so I won't repeat that (other then SSL! SSL! SSL!).

You mentioned:

secure forms (maxlegnth)

The maxlength attribute is a way of asking the client not to send data longer then a certain number of characters. Nothing prevents them from ignoring that request. Any sanity checking of data must be performed by the server side script. (You can check on the client side as well, but this should be only to provide convenience for the user, not for your security.)

As for VB.NET; most groups being new languages/frameworks try to hype the language or framework to attract developers. Microsoft is no exception. You might want to consider using the language if it provides significant benefits (such as already being used interally thus providing prewritten libraries that deal with your company's business logic), but don't choose it because its a buzzword.

Everyone here has provided some good feedback. The only other thing I can offer is a method I described in this node that I've used for some of my web-based apps utilizing MYSQL.

I will agree with my fellow monks that SSL is important!

Hope this helps