I recently became very active over at stackoverflow, and after about a month of answering as many questions as I could rapidly answer, I noticed a pattern emerging. No one seems to be getting the message about PHP’s mysql_*() functions.
Here’s a news flash, guys: mysql_*() functions are deprecated as of PHP 5. That means no support, no further development, no ANYTHING from the people maintaining the code base.
The reasons cited for this change are many, including (copied directly from the PHP FAQs):
- Most systems these days already have the client library installed.
- Given the above, having multiple versions of the library can get messy. For example, if you link mod_auth_mysql against one version and PHP against another, and then enable both in Apache, you get a nice fat crash. Also, the bundled library didn’t always play well with the installed server version. The most obvious symptom of this being disagreement over where to find the mysql.socket Unix domain socket file.
- Maintenance was somewhat lax and it was falling further and further behind the released version.
- Future versions of the library are under the GPL and thus we don’t have an upgrade path since we cannot bundle a GPL’ed library in a BSD/Apache-style licensed project. A clean break in PHP 5 seemed like the best option.
I’ll even give you one more reason, and it’s a biggie: SQL Injection (cue the ominous tones). Yes, boys and girls, mysql_*() made no attempt at helping developers avoid the pitfalls of SQL injection right at the source. Instead it relied on the developers’ experience and knowledge of a) the existence of SQL injection and b) how to properly escape user-input data (mysql_escape_string() and mysql_real_escape_string(), which were iffy at best, by the way).
“But Matt,” you are probably thinking to yourself, “how am I supposed to interact with my wonderful, glorious MySQL database without the use of mysql_*() functions?” Well, token reader, I’ll tell you how: mysqli (available as of PHP 4.1) and PDO (available as of PHP 5.1).
There are differences between the two, and they are many. mysqli is an API, PDO is an object; mysqli interfaces only with MySQL databases, PDO can access many; both offer prepared statements and prevent SQL injection.
But hey, don’t take my word for it. The guys over at netplusplus wrote a great blog post explaining the differences between the two, and have tutorials on how to use both of them.