Why should not use mysql_* API in PHP / MySQL?

  Tags: , , ,


The objective of the question is to have one or several well-constructed answers that serve as reference when the extension is being used mysql_*in the code.

Answering questions here in Stackoverflow I am surprised at the number of users who still maintain code that includes the API or extension mysql_*to handle the data, although in the PHP Manual itsays the following:

This extension is obsolete as of PHP 5.5.0, so it has been removed since PHP 7.0.0. Instead, the mysqli or PDO_MySQL extension should be used . See also the General Information of the MySQL API for help in choosing a MySQL API.

That means that the functions:

  • mysql_result
  • mysql_select_db
  • mysql_num_rows
  • mysql_connect
  • mysql_db_query
  • mysql_fetch_assoc
  • mysql_*... todas las que empiecen así ....

All of these functions, and many others listed here , should be avoided.

To make matters worse, the functions are almost identical to those of extension mysqli, which are recommended along with PDO. The only difference between the obsolete functions listed above and those of MySQLi, is the letter ibefore the underscore _.

So the question is this: What are the main serious reasons why I should stop using the extension mysql_*to consult my data?

Reason to not use the mysql_* API  in PHP / MySQL:

The main drawbacks of the functions mysql_*:
  1. They are insecure by nature : you can not use prepared statements, you can only create dynamic SQL statements (concatenating strings), which opens the door to SQL injection. There will be users who say that using mysql_real_escape_stingaddslashesor htmlspecialcharsthat problem is solved, but it has been proven that they can fail in some cases (eg with different character sets or with certain values ).
  2. They are prone to errors : when SQL statements are generated by concatenating strings, it is easy to make mistakes when writing them (eg, opening quotation marks and forgetting to close them), which will lead to errors in the database and waste time debugging.
  3. They will stop working : as you put in the question and due to the previous points, they are considered obsolete as of version 5.5 of PHP and will stop working completely in the PHP7 version.
  4. They are not object oriented : this is not really a problem to justify their removal, but more of an inconvenience when it comes to programming. MySQLiIt has procedural mode and object oriented mode and PDOis object oriented.

And now a warning that put in the comments: if you use the functions MySQLior PDOthe same way you use the mysql_*(concatenated chains) are just as dangerous. The tools must be used correctly (prepared sentences) to be safe. Consider that the code is safer simply to use MySQLior PDOis a serious error.

In summary: The great advantage of mysqli_*PDOis that ready-made or parameterized sentences can be used . Thanks to these, complexity and responsibility are passed on to the database itself … but it is still the responsibility of the developer to use those tools correctly.