3

Possible Duplicate:
Why shouldn’t I use mysql_* function in PHP?

I am looking at using Justin Vincent's ezSQL in my next PHP project, and I noticed that it uses mysql_connect under the hood. I know that it is not recommended to use the mysql_* functions in PHP anymore. I have seen my fair share of websites that were SQL injection-attacked through code like the following:

<?php mysql_qyery("SELECT * FROM my_table WHERE id = " . $_GET['id']); ?>

I know that PDO has support for prepared statements, but you are not forced to prepare your statements, so you could still write similarly insecure queries.

I was wondering if there are any intrinsic security flaws with the mysql_* functions that I should be aware of if I am using a library like exSQL that handles escaping data before executing a query?

Edit: I am not asking whether I should use PDO/mysqli instead of the mysql extension or whether the mysql extension will be removed in future versions of PHP. The answers to both of these questions are readily available on the PHP manual as well as elsewhere. However, there is a lack of readily-available documentation as to why the mysql extension is discouraged. This is evident by the fact that the PHP manual's answer to the question, "Why is the MySQL extension (ext/mysql) that I've been using for over 10 years discouraged from use? Is it deprecated? What do I use instead? How can I migrate?" does not in fact answer why it is discouraged.

This is a problem for developers using libraries that still rely on the old mysql extension. Just because the extension is no longer supported does not make this an "irrelevant" question, as there are still plenty of libraries that use the old extension.

Community
  • 1
  • 1
Andrew
  • 2,084
  • 20
  • 32
  • 5
    There are already way too many places to get an answer to this question – George Nov 05 '12 at 16:58
  • 2
    Your question is not constructive as per current standards, and short answer is that because `mysql_()` is no more maintained by the community, read the big red box http://php.net/manual/en/book.mysql.php – Mr. Alien Nov 05 '12 at 17:00
  • There are no other intrinsic security flaws than the lack of prepared statements. As you mention, it's perfectly possible to write insecure queries in PDO.... and many people do, believing they're not insecure because hey, they're using PDO, right? That said, mysql_* is being phased out and shouldn't be used in new projects any more. – Pekka Nov 05 '12 at 17:01
  • 1
    The PHP manual's [answer to why it is discouraged](http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated) strangely does not _actually answer the question_, it only says that it IS discouraged. I'm not debating that. I am just curious why. – Andrew Nov 05 '12 at 17:01
  • 1
    also see http://news.php.net/php.internals/53799 – Gordon Nov 05 '12 at 17:02
  • Agreed with pekka. If you don't know how to use pdo, you are as vulnerable as any other extension. It doesn't magically give you safeguard if you don't take the precautions. – itachi Nov 05 '12 at 17:12

1 Answers1

2

These two resource should help you:

Advantages Of MySQLi over MySQL

http://php.net/manual/en/mysqli.overview.php

If not, you Google it for further info as this is not a real question.

Community
  • 1
  • 1
HungryCoder
  • 7,506
  • 1
  • 38
  • 51