1

i have seen lot of comment related to mysql_* not OK to use. but could not find the answer why

Muhammad Haseeb Khan
  • 885
  • 9
  • 24
  • Because it's being [deprecated](http://en.wikipedia.org/wiki/Deprecation). Your question *should* be why is it being deprecated... – Lix Mar 14 '13 at 18:51
  • Please, [don't use mysql_* functions in new code](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about **Prepared Statements** instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). See [this article](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) for a quick overview how to do it and why it is so important. – juergen d Mar 14 '13 at 18:51
  • 2
    @jue - yes, I believe that is the comment the OP is referring to :P – Lix Mar 14 '13 at 18:51
  • ***Who*** upvoted this? This is a duplicate. – Kermit Mar 14 '13 at 18:52
  • MySQLi _is_ vulnerable when calling `mysqli::query()` with concatenated variables instead of prepared statements. – Michael Berkowski Mar 14 '13 at 18:54
  • 1
    @lix: That is why I posted it :) The links in that comment provide enough info – juergen d Mar 14 '13 at 18:55
  • @juergend I think the duplicate answer provides *better* info – Kermit Mar 14 '13 at 18:55
  • `mysqli` is also vulnerable to sql injection if you don't either use prepared statements and/or sanitize the input. The reason not to use `mysql_` is because it's being deprecated, not just because it's vulnerable. As to why it's being deprecated... have a look here: http://webdevrefinery.com/forums/topic/1272-your-mysql-code-sucks – dnagirl Mar 14 '13 at 18:56
  • @lik if something is deprecated, does it worth to change 1000 line code of the application. there should be a strong reason – Muhammad Haseeb Khan Mar 14 '13 at 18:56
  • @AarolamaBluenk: The duplicate link is in that comment :) – juergen d Mar 14 '13 at 18:56
  • @juergend Dang it; I gotta start clicking on links! – Kermit Mar 14 '13 at 18:56
  • @MuhammadHaseebKhan How about you *read* the topic which addresses ***all*** the issues? – Kermit Mar 14 '13 at 18:57
  • @muh - it all depends on what PHP version you are running I suppose. Not upgrading and updating your system means you would remain prone to all the bugs and security issues that are fixed with each new release. It also means you'll be able to keep using these old methods, because if you don't change your system, nothing will change with your code. – Lix Mar 14 '13 at 18:57
  • @dnagirl then vlunerability is not only reason of not using `mysql_*`? – Muhammad Haseeb Khan Mar 14 '13 at 19:00
  • @muh - it's great advice at the end of the day... Updating a lot of code might be a pain but it would ensure another level of safety. Also you shouldn't really be updating so much code - essentially you should only have one piece of code that deals with database communication and everyone else just uses that... – Lix Mar 14 '13 at 19:00
  • @lix my only point here if anyone have some strong reason to updating whole code to `mysqli`? – Muhammad Haseeb Khan Mar 14 '13 at 19:05
  • @muh - whether the reason is strong or not is decided by you. You are the one that will (possibly) have to update all the code. There are a lot of reasons given in the linked question at the top. If none of them satisfy you, then don't make the changes. However I think that after reading them you'll be convinced too.. – Lix Mar 14 '13 at 19:15
  • So From reading the whole answer i concluded that for future developments i may use new extensions but for existing i could stick to `mysql_*` provided that i have taken all security measures – Muhammad Haseeb Khan Mar 14 '13 at 19:23

0 Answers0