0

I am doing an e-commerce CMS and all my SQL queries are mysql_* functions. Since they are getting obsolete, I would like to incorporate PDO's/prepared statement.

From a security perspective, should I only use PDO's/prepared statement for queries which involve user input? Can I just use mysql_* functions for queries that don't have user input in them?

Also, I've been googling "PDO vs prepared statement" with no success, to see what the differences are. Is there any difference at all or are they the same thing?

I've also been advised to use MySQLi. Can I stick to PDO's without MySQLi?

Thanks a lot for your suggestions. Regards

alexx0186
  • 1,557
  • 5
  • 20
  • 32
  • 1
    "PDO vs prepared statement" does not make sense. You can use prepared statements in PDO. You should replace all the `mysql_` functions. They might become deprecated from PHP in the future (they should already be). – kapa May 17 '12 at 11:25
  • 2
    Choose either MySQLi or PDO (I would choose PDO because I find its parameter binding method more sensible) and stick with that only. Otherwise you need to maintain two connections (one for each API). Convert everything to PDO. – Michael Berkowski May 17 '12 at 11:26
  • 1
    Also, this could be useful to read: http://stackoverflow.com/questions/13569/mysqli-or-pdo-what-are-the-pros-and-cons – kapa May 17 '12 at 11:28
  • Hi, thanks for your help. I will convert everything to PDO. Regards – alexx0186 May 17 '12 at 11:36

2 Answers2

1

Since they are getting obsolete

Since when? They are not deprecated.

All of mysql ,mysqli and PDO ultimately do the same thing, but in very different ways. Using three different APIs to the same data is not a good idea - use one and learn how to use it effectively. Of course you can become expert in all of them, but don't mix and match in the same project - other people may want to look at your code.

If you're working on a medium to large scale project, then define your own abstraction layer - that way it doesn't matter which you use. (NB despite the hype making an application portable across different DBMS is not as simple as using an abstraction layer).

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • mysql_* functions and the extension itself *are* being deprecated: http://news.php.net/php.internals/53799 . – DCoder May 17 '12 at 11:40
0

PDO is a prepared statement library (or at least you can do prepared statements with it), so that's why you can't find any differences.

Regarding the mysql_ vs mysqli_ vs PDO question; that's just personal preference. I'd say: stick to one of them, but if your code base is quite large already, I'd say: leave it as it is and just write the new parts with PDO/Mysqli.

Leon Cullens
  • 12,276
  • 10
  • 51
  • 85