Is is safe to use mysql_* functions if PDO and mysqli is not available?

Question

I have a website hosted on a shared hosting. They have php 5.2.13 installed.

I know the vulnerabilities of SQL Injection and I want to prevent it.

So I want to use PDO or mysqli for preventing it.

But the problem when I used phpinfo(); to view the hosting environment php setup info,
I found that there was no mysql driver for PDO and there was no support for mysqli in it.

So I wanted to know whether it will be safe to use that old mysql_* functions( along with functions like mysql_real_escape_string).

I looked at this one on SO but it wasn't much helpful to me. Prepared statements possible when mysqli and PDO are not available?

UPDATE:

I forgot to mention that most of the queries will be simple. There are no forms used so no user input will be used to make a query. All the queries will be hard coded with necessary parameters and they will not be changed once set.

Answer 1

No. The lack of more secure solutions is never a valid excuse to fall back to a less secure or more vulnerable solution.

You're much better off finding a different hosting provider that doesn't disable arbitrary PHP features even in their shared hosting packages. Oh, and try to get one that uses PHP 5.3, or better yet if you can, PHP 5.4.

Answer 2

If you're really rigorous about always using mysql_real_escape_string() with all user-supplied input then I think you should be safe from any SQL injection that prepared statements protects you from.

How perfect are you at this? I'll bet most of the buffer overflow vulnerabilities were created by programmers who thought they were good at checking inputs....