Avoid the Mysql Extension in PHP

Comments

There are a few different ways of handling MySQL in in PHP.

Ext/mysql, i.e. the functions that start with mysql_xxx, is the oldest and most well known. It is also insecure, doesn’t use all the database features, and will be phased out and in future releases. Use mysqli instead, or at least pdo_mysql.

The PHP mysql extension both obsolete and insecure

Even if not as bad as mysql_escape_string, the function mysql_real_escape_string doesn’t escape data properly and therefore leave your queries potentially open to SQL injection.

Also importantly, that extension don’t use the full MySQL features, such as stored procedures / prepared statements, encryption, etc. It is an old extension, created for MySQL 3.2, and it’s going to be phased out in future, as you can see in this comment in the PHP manual. The only reason it hasn’t been so far is that it is so widely used the PHP Group are wary of removing it too quickly and breaking all those websites. But the process has started.

Use mysqli instead of mysql, or at least pdo_mysql

The PHP Data Object (PDO) is an abstraction layer designed to make your code independent of the actual database behind your application. It is a good alternative to mysql, but not the best, as explained in this thread:

I’m not sure the current PDO is “the” alternative. We (= MySQL/ORACLE) focus mostly on mysqli, that’s the extension providing access to all current and future features of MySQL. True, many features could be added to PDO but there are two design decision in PDO which make this bad:

  * The parser used for identifying statement place holders is very
    basic, as it is implemented in PDO core, not the drivers, which
    leads to FRs like #54929 or the famous LIKE issue[1]
  * driver-specific functions are implemented by using __call()
    which means there is no good introspection mechanism to check
    whether a feature is available or not in the current setup.

So as you can see from the above, mysqli is the best option. The “i” does stand for “improved”, after all.

Comments