What are the technical reasons for why one shouldn’t use mysql_*
functions? (e.g. mysql_query()
, mysql_connect()
or mysql_real_escape_string()
)?
Why should I use something else even if they work on my site?
If they don’t work on my site, why do I get errors like
Warning: mysql_connect(): No such file or directory
Answer 1
The MySQL extension:
- Is not under active development
- Is officially deprecated as of PHP 5.5 (released June 2013).
- Has been removed entirely as of PHP 7.0 (released December 2015)
- This means that as of 31 Dec 2018 it does not exist in any supported version of PHP. If you are using a version of PHP which supports it, you are using a version which doesn’t get security problems fixed.
- Lacks an OO interface
- Doesn’t support:
- Non-blocking, asynchronous queries
- Prepared statements or parameterized queries
- Stored procedures
- Multiple Statements
- Transactions
- The “new” password authentication method (on by default in MySQL 5.6; required in 5.7)
- Any of the new functionality in MySQL 5.1 or later
Since it is deprecated, using it makes your code less future proof.
Lack of support for prepared statements is particularly important as they provide a clearer, less error-prone method of escaping and quoting external data than manually escaping it with a separate function call.
See the comparison of SQL extensions.
Deprecated alone is reason enough to avoid them. They will not be there one day, and you will not be happy if you rely on them. The rest is just a list of things that using the old extensions has kept people from learning.
Deprecation isn’t the magic bullet everyone seems to think it is. PHP itself will not be there one day, yet we rely on the tools we have at our disposal today. When we have to change tools, we will.
Deprecation isn’t a magic bullet, it is a flag that says “We recognise this sucks so we aren’t going to support it for much longer”. While having better future proofing of code is a good reason to move away from the deprecated features, it isn’t the only one (or even the main one). Change tools because there are better tools, not because you are forced to. (And changing tools before you are forced to means that you aren’t learning the new ones just because your code has stopped working and needs fixing yesterday … which is the worst time to learn new tools). – Quentin
The prepared statements thing is the big one for me. Much of PHPs early reputation as being a cursed language security wise stems from the early days where the combination magic variables and SQL via interpolation combined to make for some very stupid code. Prepared statements go a LONG way to preventing this. Never interpolate SQL. Just…. dont do it.
Doesn't support: Non-blocking, asynchronous queries
– that’s also a reason to not use PDO, it doesn’t suppose async queries (unlike mysqli) – hanshenrik
Answer 2
PHP offers three different APIs to connect to MySQL. These are the mysql
(removed as of PHP 7), mysqli
, and PDO
extensions.
The mysql_*
functions used to be very popular, but their use is not encouraged anymore. The documentation team is discussing the database security situation, and educating users to move away from the commonly used ext/mysql extension is part of this (check php.internals: deprecating ext/mysql).
And the later PHP developer team has taken the decision to generate E_DEPRECATED
errors when users connect to MySQL, whether through mysql_connect()
, mysql_pconnect()
or the implicit connection functionality built into ext/mysql
.
ext/mysql
was officially deprecated as of PHP 5.5 and has been removed as of PHP 7.
See the Red Box?
When you go on any mysql_*
function manual page, you see a red box, explaining it should not be used anymore.
Why
Moving away from ext/mysql
is not only about security, but also about having access to all the features of the MySQL database.
ext/mysql
was built for MySQL 3.23 and only got very few additions since then while mostly keeping compatibility with this old version which makes the code a bit harder to maintain. Missing features that is not supported by ext/mysql
include: (from PHP manual).
- Stored procedures (can’t handle multiple result sets)
- Prepared statements
- Encryption (SSL)
- Compression
- Full Charset support
Reason to not use mysql_*
function:
- Not under active development
- Removed as of PHP 7
- Lacks an OO interface
- Doesn’t support non-blocking, asynchronous queries
- Doesn’t support prepared statements or parameterized queries
- Doesn’t support stored procedures
- Doesn’t support multiple statements
- Doesn’t support transactions
- Doesn’t support all of the functionality in MySQL 5.1
Above point quoted from Quentin’s answer
Lack of support for prepared statements is particularly important as they provide a clearer, less error prone method of escaping and quoting external data than manually escaping it with a separate function call.
See the comparison of SQL extensions.
Suppressing deprecation warnings
While code is being converted to MySQLi
/PDO
, E_DEPRECATED
errors can be suppressed by setting error_reporting
in php.ini to exclude E_DEPRECATED:
error_reporting = E_ALL ^ E_DEPRECATED
Note that this will also hide other deprecation warnings, which, however, may be for things other than MySQL. (from PHP manual)
The article PDO vs. MySQLi: Which Should You Use? by Dejan Marjanovic will help you to choose.
And a better way is PDO
, and I am now writing a simple PDO
tutorial.
A simple and short PDO tutorial
Q. First question in my mind was: what is `PDO`?
A. “PDO – PHP Data Objects – is a database access layer providing a uniform method of access to multiple databases.”
Connecting to MySQL
With mysql_*
function or we can say it the old way (deprecated in PHP 5.5 and above)
$link = mysql_connect('localhost', 'user', 'pass');
mysql_select_db('testdb', $link);
mysql_set_charset('UTF-8', $link);
With PDO
: All you need to do is create a new PDO
object. The constructor accepts parameters for specifying the database source PDO
‘s constructor mostly takes four parameters which are DSN
(data source name) and optionally username
, password
.
Here I think you are familiar with all except DSN
; this is new in PDO
. A DSN
is basically a string of options that tell PDO
which driver to use, and connection details. For further reference, check PDO MySQL DSN.
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
Note: you can also use charset=UTF-8
, but sometimes it causes an error, so it’s better to use utf8
.
If there is any connection error, it will throw a PDOException
object that can be caught to handle Exception
further.
Good read: Connections and Connection management ¶
You can also pass in several driver options as an array to the fourth parameter. I recommend passing the parameter which puts PDO
into exception mode. Because some PDO
drivers don’t support native prepared statements, so PDO
performs emulation of the prepare. It also lets you manually enable this emulation. To use the native server-side prepared statements, you should explicitly set it false
.
The other is to turn off prepare emulation which is enabled in the MySQL
driver by default, but prepare emulation should be turned off to use PDO
safely.
I will later explain why prepare emulation should be turned off. To find reason please check this post.
It is only usable if you are using an old version of MySQL
which I do not recommended.
Below is an example of how you can do it:
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
'username',
'password',
array(PDO::ATTR_EMULATE_PREPARES => false,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
Can we set attributes after PDO construction?
Yes, we can also set some attributes after PDO construction with the setAttribute
method:
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=UTF-8',
'username',
'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
Error Handling
Error handling is much easier in PDO
than mysql_*
.
A common practice when using mysql_*
is:
//Connected to MySQL
$result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
OR die()
is not a good way to handle the error since we can not handle the thing in die
. It will just end the script abruptly and then echo the error to the screen which you usually do NOT want to show to your end users, and let bloody hackers discover your schema. Alternately, the return values of mysql_*
functions can often be used in conjunction with mysql_error() to handle errors.
PDO
offers a better solution: exceptions. Anything we do with PDO
should be wrapped in a try
–catch
block. We can force PDO
into one of three error modes by setting the error mode attribute. Three error handling modes are below.
PDO::ERRMODE_SILENT
. It’s just setting error codes and acts pretty much the same asmysql_*
where you must check each result and then look at$db->errorInfo();
to get the error details.PDO::ERRMODE_WARNING
RaiseE_WARNING
. (Run-time warnings (non-fatal errors). Execution of the script is not halted.)PDO::ERRMODE_EXCEPTION
: Throw exceptions. It represents an error raised by PDO. You should not throw aPDOException
from your own code. See Exceptions for more information about exceptions in PHP. It acts very much likeor die(mysql_error());
, when it isn’t caught. But unlikeor die()
, thePDOException
can be caught and handled gracefully if you choose to do so.
Good read:
Like:
$stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT );
$stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
$stmt->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
And you can wrap it in try
–catch
, like below:
try {
//Connect as appropriate as above
$db->query('hi'); //Invalid query!
}
catch (PDOException $ex) {
echo "An Error occured!"; //User friendly message/message you want to show to user
some_logging_function($ex->getMessage());
}
You do not have to handle with try
–catch
right now. You can catch it at any time appropriate, but I strongly recommend you to use try
–catch
. Also it may make more sense to catch it at outside the function that calls the PDO
stuff:
function data_fun($db) {
$stmt = $db->query("SELECT * FROM table");
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
//Then later
try {
data_fun($db);
}
catch(PDOException $ex) {
//Here you can handle error and show message/perform action you want.
}
Also, you can handle by or die()
or we can say like mysql_*
, but it will be really varied. You can hide the dangerous error messages in production by turning display_errors off
and just reading your error log.
Now, after reading all the things above, you are probably thinking: what the heck is that when I just want to start leaning simple SELECT
, INSERT
, UPDATE
, or DELETE
statements? Don’t worry, here we go:
Selecting Data
So what you are doing in mysql_*
is:
<?php
$result = mysql_query('SELECT * from table') or die(mysql_error());
$num_rows = mysql_num_rows($result);
while($row = mysql_fetch_assoc($result)) {
echo $row['field1'];
}
Now in PDO
, you can do this like:
<?php
$stmt = $db->query('SELECT * FROM table');
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo $row['field1'];
}
Or
<?php
$stmt = $db->query('SELECT * FROM table');
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
//Use $results
Note: If you are using the method like below (query()
), this method returns a PDOStatement
object. So if you want to fetch the result, use it like above.
<?php
foreach($db->query('SELECT * FROM table') as $row) {
echo $row['field1'];
}
In PDO Data, it is obtained via the ->fetch()
, a method of your statement handle. Before calling fetch, the best approach would be telling PDO how you’d like the data to be fetched. In the below section I am explaining this.
Fetch Modes
Note the use of PDO::FETCH_ASSOC
in the fetch()
and fetchAll()
code above. This tells PDO
to return the rows as an associative array with the field names as keys. There are many other fetch modes too which I will explain one by one.
First of all, I explain how to select fetch mode:
$stmt->fetch(PDO::FETCH_ASSOC)
In the above, I have been using fetch()
. You can also use:
PDOStatement::fetchAll()
– Returns an array containing all of the result set rowsPDOStatement::fetchColumn()
– Returns a single column from the next row of a result setPDOStatement::fetchObject()
– Fetches the next row and returns it as an object.PDOStatement::setFetchMode()
– Set the default fetch mode for this statement
Now I come to fetch mode:
PDO::FETCH_ASSOC
: returns an array indexed by column name as returned in your result setPDO::FETCH_BOTH
(default): returns an array indexed by both column name and 0-indexed column number as returned in your result set
There are even more choices! Read about them all in PDOStatement
Fetch documentation..
Getting the row count:
Instead of using mysql_num_rows
to get the number of returned rows, you can get a PDOStatement
and do rowCount()
, like:
<?php
$stmt = $db->query('SELECT * FROM table');
$row_count = $stmt->rowCount();
echo $row_count.' rows selected';
Getting the Last Inserted ID
<?php
$result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
$insertId = $db->lastInsertId();
Insert and Update or Delete statements
What we are doing in mysql_*
function is:
<?php
$results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
echo mysql_affected_rows($result);
And in pdo, this same thing can be done by:
<?php
$affected_rows = $db->exec("UPDATE table SET field='value'");
echo $affected_rows;
In the above query PDO::exec
execute an SQL statement and returns the number of affected rows.
Insert and delete will be covered later.
The above method is only useful when you are not using variable in query. But when you need to use a variable in a query, do not ever ever try like the above and there for prepared statement or parameterized statement is.
Prepared Statements
Q. What is a prepared statement and why do I need them?
A. A prepared statement is a pre-compiled SQL statement that can be executed multiple times by sending only the data to the server.
The typical workflow of using a prepared statement is as follows (quoted from Wikipedia three 3 point):
- Prepare: The statement template is created by the application and sent to the database management system (DBMS). Certain values are left unspecified, called parameters, placeholders or bind variables (labelled
?
below):
`INSERT INTO PRODUCT (name, price) VALUES (?, ?)`
- The DBMS parses, compiles, and performs query optimization on the statement template, and stores the result without executing it.
- Execute: At a later time, the application supplies (or binds) values for the parameters, and the DBMS executes the statement (possibly returning a result). The application may execute the statement as many times as it wants with different values. In this example, it might supply ‘Bread’ for the first parameter and
1.00
for the second parameter.
You can use a prepared statement by including placeholders in your SQL. There are basically three ones without placeholders (don’t try this with variable its above one), one with unnamed placeholders, and one with named placeholders.
Q. So now, what are named placeholders and how do I use them?
A. Named placeholders. Use descriptive names preceded by a colon, instead of question marks. We don’t care about position/order of value in name place holder:
$stmt->bindParam(':bla', $bla);
bindParam(parameter,variable,data_type,length,driver_options)
You can also bind using an execute array as well:
<?php
$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->execute(array(':name' => $name, ':id' => $id));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
Another nice feature for OOP
friends is that named placeholders have the ability to insert objects directly into your database, assuming the properties match the named fields. For example:
class person {
public $name;
public $add;
function __construct($a,$b) {
$this->name = $a;
$this->add = $b;
}
}
$demo = new person('john','29 bla district');
$stmt = $db->prepare("INSERT INTO table (name, add) value (:name, :add)");
$stmt->execute((array)$demo);
Q. So now, what are unnamed placeholders and how do I use them?
A. Let’s have an example:
<?php
$stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
$stmt->bindValue(1, $name, PDO::PARAM_STR);
$stmt->bindValue(2, $add, PDO::PARAM_STR);
$stmt->execute();
and
$stmt = $db->prepare("INSERT INTO folks (name, add) values (?, ?)");
$stmt->execute(array('john', '29 bla district'));
In the above, you can see those ?
instead of a name like in a name place holder. Now in the first example, we assign variables to the various placeholders ($stmt->bindValue(1, $name, PDO::PARAM_STR);
). Then, we assign values to those placeholders and execute the statement. In the second example, the first array element goes to the first ?
and the second to the second ?
.
NOTE: In unnamed placeholders we must take care of the proper order of the elements in the array that we are passing to the PDOStatement::execute()
method.
SELECT
, INSERT
, UPDATE
, DELETE
prepared queries
SELECT
:$stmt = $db->prepare(“SELECT * FROM table WHERE id=:id AND name=:name”); $stmt->execute(array(‘:name’ => $name, ‘:id’ => $id)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);INSERT
:$stmt = $db->prepare(“INSERT INTO table(field1,field2) VALUES(:field1,:field2)”); $stmt->execute(array(‘:field1’ => $field1, ‘:field2’ => $field2)); $affected_rows = $stmt->rowCount();DELETE
:$stmt = $db->prepare(“DELETE FROM table WHERE id=:id”); $stmt->bindValue(‘:id’, $id, PDO::PARAM_STR); $stmt->execute(); $affected_rows = $stmt->rowCount();UPDATE
:$stmt = $db->prepare(“UPDATE table SET name=? WHERE id=?”); $stmt->execute(array($name, $id)); $affected_rows = $stmt->rowCount();
NOTE:
However PDO
and/or MySQLi
are not completely safe. Check the answer Are PDO prepared statements sufficient to prevent SQL injection? by ircmaxell. Also, I am quoting some part from his answer:
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->query('SET NAMES GBK');
$stmt = $pdo->prepare("SELECT * FROM test WHERE name = ? LIMIT 1");
$stmt->execute(array(chr(0xbf) . chr(0x27) . " OR 1=1 /*"));
Answer 3
First, let’s begin with the standard comment we give everyone:
Please, don’t use
mysql_*
functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi – this article will help you decide which. If you choose PDO, here is a good tutorial.
Let’s go through this, sentence by sentence, and explain:
- They are no longer maintained, and are officially deprecatedThis means that the PHP community is gradually dropping support for these very old functions. They are likely to not exist in a future (recent) version of PHP! Continued use of these functions may break your code in the (not so) far future.NEW! – ext/mysql is now officially deprecated as of PHP 5.5!Newer! ext/mysql has been removed in PHP 7.
- Instead, you should learn of prepared statements
mysql_*
extension does not support prepared statements, which is (among other things) a very effective countermeasure against SQL Injection. It fixed a very serious vulnerability in MySQL dependent applications which allows attackers to gain access to your script and perform any possible query on your database.For more information, see How can I prevent SQL injection in PHP? - See the Red Box?When you go to any
mysql
function manual page, you see a red box, explaining it should not be used anymore. - Use either PDO or MySQLiThere are better, more robust and well-built alternatives, PDO – PHP Database Object, which offers a complete OOP approach to database interaction, and MySQLi, which is a MySQL specific improvement. can i use mysql function in php 7
Answer 4
Ease of use
The analytic and synthetic reasons were already mentioned. For newcomers there’s a more significant incentive to stop using the dated mysql_ functions.
Contemporary database APIs are just easier to use.
It’s mostly the bound parameters which can simplify code. And with excellent tutorials (as seen above) the transition to PDO isn’t overly arduous.
Rewriting a larger code base at once however takes time. Raison d’être for this intermediate alternative:
Equivalent pdo_* functions in place of mysql_*
Using <pdo_mysql.php> you can switch from the old mysql_ functions with minimal effort. It adds pdo_
function wrappers which replace their mysql_
counterparts.
- Simply
include_once(
"pdo_mysql.php"
);
in each invocation script that has to interact with the database. - Remove the
function prefix everywhere and replace it withmysql_
pdo_
.mysql_
connect()
becomespdo_
connect()
mysql_
query()
becomespdo_
query()
mysql_
num_rows()
becomespdo_
num_rows()
mysql_
insert_id()
becomespdo_
insert_id()
mysql_
fetch_array()
becomespdo_
fetch_array()
mysql_
fetch_assoc()
becomespdo_
fetch_assoc()
mysql_
real_escape_string()
becomespdo_
real_escape_string()
- and so on…
- Your code will work alike and still mostly look the same:
include_once("pdo_mysql.php"); pdo_connect("localhost", "usrABC", "pw1234567"); pdo_select_db("test"); $result = pdo_query("SELECT title, html FROM pages"); while ($row = pdo_fetch_assoc($result)) { print "$row[title] - $row[html]"; }
Et voilà.
Your code is using PDO.
Now it’s time to actually utilize it. can i use mysql function in php 7
Bound parameters can be easy to use
You just need a less unwieldy API.
pdo_query()
adds very facile support for bound parameters. Converting old code is straightforward:
Move your variables out of the SQL string.
- Add them as comma delimited function parameters to
pdo_query()
. - Place question marks
?
as placeholders where the variables were before. - Get rid of
'
single quotes that previously enclosed string values/variables.
The advantage becomes more obvious for lengthier code.
Often string variables aren’t just interpolated into SQL, but concatenated with escaping calls in between.
pdo_query("SELECT id, links, html, title, user, date FROM articles
WHERE title='" . pdo_real_escape_string($title) . "' OR id='".
pdo_real_escape_string($title) . "' AND user <> '" .
pdo_real_escape_string($root) . "' ORDER BY date")
With ?
placeholders applied you don’t have to bother with that:
pdo_query("SELECT id, links, html, title, user, date FROM articles
WHERE title=? OR id=? AND user<>? ORDER BY date", $title, $id, $root)
Remember that pdo_* still allows either or.
Just don’t escape a variable and bind it in the same query.
- The placeholder feature is provided by the real PDO behind it.
- Thus also allowed
:named
placeholder lists later.
More importantly you can pass $_REQUEST[] variables safely behind any query. When submitted <form>
fields match the database structure exactly it’s even shorter:
pdo_query("INSERT INTO pages VALUES (?,?,?,?,?)", $_POST);
So much simplicity. But let’s get back to some more rewriting advises and technical reasons on why you may want to get rid of and escaping.mysql_
Fix or remove any oldschool sanitize()
function
Once you have converted all calls to mysql_
pdo_query
with bound params, remove all redundant pdo_real_escape_string
calls.
In particular you should fix any sanitize
or clean
or filterThis
or clean_data
functions as advertised by dated tutorials in one form or the other:
function sanitize($str) {
return trim(strip_tags(htmlentities(pdo_real_escape_string($str))));
}
Most glaring bug here is the lack of documentation. More significantly the order of filtering was in exactly the wrong order.
- Correct order would have been: deprecatedly
stripslashes
as the innermost call, thentrim
, afterwardsstrip_tags
,htmlentities
for output context, and only lastly the_escape_string
as its application should directly preceed the SQL intersparsing. - But as first step just get rid of the
_real_escape_string
call. - You may have to keep the rest of your
sanitize()
function for now if your database and application flow expect HTML-context-safe strings. Add a comment that it applies only HTML escaping henceforth. - String/value handling is delegated to PDO and its parameterized statements.
- If there was any mention of
stripslashes()
in your sanitize function, it may indicate a higher level oversight.- That was commonly there to undo damage (double escaping) from the deprecated
magic_quotes
. Which however is best fixed centrally, not string by string.Use one of the userland reversal approaches. Then remove thestripslashes()
in thesanitize
function.
Then PHP3/Zend reintroduced magic_quotes for MySQL and misdocumented it. But originally it was just a convenience feature, not intend for security. use mysql_* functions in PHP - That was commonly there to undo damage (double escaping) from the deprecated
How prepared statements differ
When you scramble string variables into the SQL queries, it doesn’t just get more intricate for you to follow. It’s also extraneous effort for MySQL to segregate code and data again.
SQL injections simply are when data bleeds into code context. A database server can’t later spot where PHP originally glued variables inbetween query clauses. explain different functions use to access mysql in php
With bound parameters you separate SQL code and SQL-context values in your PHP code. But it doesn’t get shuffled up again behind the scenes (except with PDO::EMULATE_PREPARES). Your database receives the unvaried SQL commands and 1:1 variable values.
While this answer stresses that you should care about the readability advantages of dropping . There’s occasionally also a performance advantage (repeated INSERTs with just differing values) due to this visible and technical data/code separation.mysql_
Beware that parameter binding still isn’t a magic one-stop solution against all SQL injections. It handles the most common use for data/values. But can’t whitelist column name / table identifiers, help with dynamic clause construction, or just plain array value lists.
Hybrid PDO use
These pdo_*
wrapper functions make a coding-friendly stop-gap API. (It’s pretty much what MYSQLI
could have been if it wasn’t for the idiosyncratic function signature shift). They also expose the real PDO at most times. use mysql_* functions in PHP
Rewriting doesn’t have to stop at using the new pdo_ function names. You could one by one transition each pdo_query() into a plain $pdo->prepare()->execute() call.
It’s best to start at simplifying again however. For example the common result fetching:
$result = pdo_query("SELECT * FROM tbl");
while ($row = pdo_fetch_assoc($result)) {
Can be replaced with just an foreach iteration:
foreach ($result as $row) {
Or better yet a direct and complete array retrieval:
$result->fetchAll();
You’ll get more helpful warnings in most cases than PDO or mysql_ usually provide after failed queries.
Other options
So this hopefully visualized some practical reasons and a worthwile pathway to drop . explain different functions use to access mysql in phpmysql_
Just switching to pdo doesn’t quite cut it. pdo_query()
is also just a frontend onto it.
Unless you also introduce parameter binding or can utilize something else from the nicer API, it’s a pointless switch. I hope it’s portrayed simple enough to not further the discouragement to newcomers. (Education usually works better than prohibition.)
While it qualifies for the simplest-thing-that-could-possibly-work category, it’s also still very experimental code. I just wrote it over the weekend. There’s a plethora of alternatives however. Just google for PHP database abstraction and browse a little. There always have been and will be lots of excellent libraries for such tasks.
If you want to simplify your database interaction further, mappers like Paris/Idiorm are worth a try. Just like nobody uses the bland DOM in JavaScript anymore, you don’t have to babysit a raw database interface nowadays. use mysql_* functions in PHP
Answer 5
The mysql_
functions:
- are out of date – they’re not maintained any more
- don’t allow you to move easily to another database backend
- don’t support prepared statements, hence
- encourage programmers to use concatenation to build queries, leading to SQL injection vulnerabilities
More Post Like This :- PHP Display Errors