December 20, 2012

Why You Should Stop Using ext/mysql (mysql_* functions) in PHP Right Now

I cannot take credit for the content of this post; it comes from StackOverflow user Madara Uchiha, but it deserves as wide an audience as possible, so I am reposting it here for everyone to see and hopefully share. If you are a PHP developer you'd do well to heed the message and update your code accordingly.

Question: Why Shouldn't I Use mysql_* functions in PHP?

What are the technical reasons that I shouldn't use mysql_* functions? (mysql_query,mysql_connectmysql_real_escape_string)?
Why should I change them as long as it works on my site?
(via StackOverflow)


First, let's begin with the standard comment we give everyone:
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO orMySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Let's go through this, sentence by sentence, and explain:
  • They are no longer maintained, and are officially deprecated
    This means that the PHP community is gradually dropping support for these very old functions. They are likely to not exist in a future (recent) version of PHP! Continued use of these functions may break your code in the (not so) far future.
    NEW! - ext/mysql is now officially deprecated as of PHP 5.5!
  • Instead, you should learn of prepared statements -
    mysql_* extension does not support prepared statements, which is (among other things) a very effective countermeasure against SQL Injection. It fixed a very serious vulnerability in MySQL dependent applications which allows attackers to gain access to your script and perform any possible query on your database.
    For more information, see How to prevent SQL injection?
  • See the Red Box?
    When you go on any mysql function manual page, you see a red box, explaining it should not be used anymore.
  • Use either PDO or MySQLi
    There are better, more robust and well built alternatives, PDO - PHP Database Object, which offers a complete OOP approach to database interaction, and MySQLi, which is a MySQL specific improvement.
(via StackOverflow)

No comments: