Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why are PHP's mysql_ functions deprecated? [duplicate]

Tags:

Playing Devil's Advocate a little here as I stopped using these functions a while ago, but the question is genuine and probably matters to a lot of SO users.

We all know that using mysql_ functions in the wrong way can be very dangerous, it can leave your website vulnerable, etc. but used correctly these functions can be protected against SQL injection and are actually a fair bit faster than the newer PDO functions.

Bearing all this in mind, why have the mysql_ functions been deprecated?

like image 403
Glitch Desire Avatar asked May 31 '13 14:05

Glitch Desire


People also ask

Is Mysqli deprecated?

What does the mysqli extension include? There are three different ways to access a MySQL database. The oldest one uses the MySQL extension, which was deprecated as of PHP 5.5 and fully removed in PHP 7. The mysql() function no longer works in PHP 7.

Why can't you use MySQL functions instead of Mysqli functions?

Reason to not use mysql_* function:Lacks an OO interface. Doesn't support non-blocking, asynchronous queries. Doesn't support prepared statements or parameterized queries. Doesn't support stored procedures.

What is mysql_ fetch_ array in PHP?

mysql_fetch_array is a PHP function that will allow you to access data stored in the result returned from the TRUE mysql_query if u want to know what is returned when you used the mysql_query function to query a Mysql database. It is not something that you can directly manipulate. Syntax.

How do you close a database in PHP?

The close() / mysqli_close() function closes a previously opened database connection.


1 Answers

The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

Given all this, there's no reason to keep using it except for inertia.


* These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

Choice quotes from that document follow:

The documentation team is discussing the database security situation, and educating users to move away from the commonly used ext/mysql extension is part of this.

 

Moving away from ext/mysql is not only about security but also about having access to all features of the MySQL database.

 

ext/mysql is hard to maintain code. It is not not getting new features. Keeping it up to date for working with new versions of libmysql or mysqlnd versions is work, we probably could spend that time better.

like image 171
deceze Avatar answered Nov 12 '22 14:11

deceze