The objective of the question is to have one or several well-constructed answers that serve as reference when the extension is being used
mysql_*in the code.
Answering questions here in Stackoverflow I am surprised at the number of users who still maintain code that includes the API or extension
mysql_*to handle the data, although in the PHP Manual itsays the following:
This extension is obsolete as of PHP 5.5.0, so it has been removed since PHP 7.0.0. Instead, the mysqli or PDO_MySQL extension should be used . See also the General Information of the MySQL API for help in choosing a MySQL API.
That means that the functions:
mysql_*... todas las que empiecen así ....
All of these functions, and many others listed here , should be avoided.
To make matters worse, the functions are almost identical to those of extension
mysqli, which are recommended along with PDO. The only difference between the obsolete functions listed above and those of MySQLi, is the letter
ibefore the underscore
So the question is this: What are the main serious reasons why I should stop using the extension
mysql_*to consult my data?
Reason to not use the mysql_* API in PHP / MySQL:
- They are insecure by nature : you can not use prepared statements, you can only create dynamic SQL statements (concatenating strings), which opens the door to SQL injection. There will be users who say that using
htmlspecialcharsthat problem is solved, but it has been proven that they can fail in some cases (eg with different character sets or with certain values ).
- They are prone to errors : when SQL statements are generated by concatenating strings, it is easy to make mistakes when writing them (eg, opening quotation marks and forgetting to close them), which will lead to errors in the database and waste time debugging.
- They will stop working : as you put in the question and due to the previous points, they are considered obsolete as of version 5.5 of PHP and will stop working completely in the PHP7 version.
- They are not object oriented : this is not really a problem to justify their removal, but more of an inconvenience when it comes to programming.
MySQLiIt has procedural mode and object oriented mode and
PDOis object oriented.
And now a warning that put in the comments: if you use the functions
PDOthe same way you use the
mysql_*(concatenated chains) are just as dangerous. The tools must be used correctly (prepared sentences) to be safe. Consider that the code is safer simply to use
PDOis a serious error.
In summary: The great advantage of
PDOis that ready-made or parameterized sentences can be used . Thanks to these, complexity and responsibility are passed on to the database itself … but it is still the responsibility of the developer to use those tools correctly.