Why are PHP's mysql_ functions deprecated?

Question

Playing Devil's Advocate a little here as I stopped using these functions a while ago, but the question is genuine and probably matters to a lot of SO users.

We all know that using mysql_ functions in the wrong way can be very dangerous, it can leave your website vulnerable, etc. but used correctly these functions can be protected against SQL injection and are actually a fair bit faster than the newer PDO functions.

Bearing all this in mind, why have the mysql_ functions been deprecated?

Perhaps.. Too late to ask this question http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1 — Mr. Alien, May 31 '13 at 14:18
I'm asking why they have been deprecated and whether I should cease to use them, not why I shouldn't use them. — Glitch Desire, May 31 '13 at 14:19
Exact duplicate of [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/a/14112684/285587) — Your Common Sense, May 31 '13 at 14:20
The last question isn't entirely answered in the other topic, so: *Deprecation in PHP means not being maintained, only being left in there for legacy reasons, and most of all **will be a removed in an undefined future version**.* So yes, you should definitely stop using it. — Niels Keurentjes, May 31 '13 at 14:22
@NielsKeurentjes - We all know that the eventual removal will just result in `mysql` functions being lumped into a library and every host on the planet continuing to compile it into their PHP so as not to lose legacy customers. I'm asking *why* the features were deprecated. I can't find an official justification from the PHP team. — Glitch Desire, May 31 '13 at 14:23
@LightningDust I wouldn't hold my breath for that to happen in PHP6. While the 5-branch will most certainly keep supporting it forever, the switch to 6 is extremely likely to fundamentally drop it, and I doubt there will be universal support amongst hosters for custom patches in a major version which will break a lot of other code as well anyway. — Niels Keurentjes, May 31 '13 at 14:24
`mysql_query` is a very thin wrapper around the low-level C bindings and was introduced long before things like SQL injection issues were taken seriously. They were a stop-gap measure that's become a crutch and a liability. If history is any example, providers won't make a module to support these functions, they'll just make PHP 5.4 available for legacy apps, just as PHP 4 stuck around far, *far* too long. — tadman, May 31 '13 at 14:28
Voting to get you that question reopened. What I know is that the underlying mysql client library is outdated. As `mysql_*` in PHP userland was the binding to that C library (*libmysqlclient*) for PHP it outdated as well. If you've got a newer PHP version ensure you have mysqlnd running in the background, then `mysql_*` uses that client library instead. http://www.php.net/mysqlinfo.library.choosing — hakre, May 31 '13 at 14:35
As a matter of fact, whole PHP is a "very thin wrapper around the low-level C bindings", as Rasmus often stated it. Nobody is going to deprecate it for this reason. — Your Common Sense, May 31 '13 at 14:36
I also think this question is useful. Being able to point countless users to *why* mysql was deprecated is something else than pointing them to *that* is was deprecated. The supposed duplicate has one short answer which has good reasons against *using* mysql and one giant answer which nobody will read, so it's not a useful duplicate. — deceze, May 31 '13 at 14:36
@Your Common Sense: Sure, just for the sake of being outdated it's getting deprecated. You can still hit-arround with libmysqlclient if you compile PHP that way. However do not expect anything going forward on the layer of the *very thin wrapper* because `mysql_*` *very thin wrapper* is deprecated and not getting any more attention. — hakre, May 31 '13 at 14:38
@Niels It's not clear when if ever PHP 6 will emerge and what it will look like. Right now, the PHP devs are committed to an annual release cycle of 5.x branches, and I wouldn't be surprised to see the deprecated APIs to be removed in 5.7, i.e. 2015 — IMSoP, May 31 '13 at 14:59
Even if this is not a "duplicate", it should be closed as Subjective. It's not a good question. You ask "Should I cease to use them". Well, that's an opinion. That can elicit debate. Most people will say "Avoid on sight", but what if someone says "they are practically fine to use, ignore all those other people". The fact is it's not possible to answer this question without some level of subjectivity, and it opens the door to a lot of speculation and argument. My opinion is it should be closed as such... — ircmaxell, May 31 '13 at 15:01
@ircmaxell *"Why was it deprecated"* is a rather answerable question though. Would it help to remove the other part of the question? — deceze, May 31 '13 at 15:08
@deceze: I think that would definitely help with the subjective part. But I still don't think that's a good question for the SO format. Removing the second question would be a step in the right direction though... — ircmaxell, May 31 '13 at 15:12
PDO can be used dangerous just as easily as mysql or mysqli. They're **TOOLS**. In the right hands, they can make a beautiful painting or build a wonderous structure. In the wrong hands, they'll blow off the user's foot, or blow off the feet of everyone in the neighborhood. It's NOT the tool's fault, it's the user's. — Marc B, May 31 '13 at 15:19
Think the amount of discussion this has generated regarding deprecation and the tool shows that it's not a duplicate of a simple 'Why is it worse than X?' question. Moderators should err on the side of open discussion in these cases imo. — Glitch Desire, May 31 '13 at 15:43
@deceze - Agree with you, I should have kept this to one question. Should be re-opened now though. — Glitch Desire, May 31 '13 at 16:30

deceze · Accepted Answer · 2013-05-31T16:50:33.740

16

The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

Given all this, there's no reason to keep using it except for inertia.

* These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

Choice quotes from that document follow:

The documentation team is discussing the database security situation, and educating users to move away from the commonly used ext/mysql extension is part of this.

Moving away from ext/mysql is not only about security but also about having access to all features of the MySQL database.

ext/mysql is hard to maintain code. It is not not getting new features. Keeping it up to date for working with new versions of libmysql or mysqlnd versions is work, we probably could spend that time better.

edited May 31 '13 at 16:50

answered May 31 '13 at 14:44

deceze

510,633
85
743
889

2

Points of clarity: Moving from `ext/mysql` to `ext/mysqli` or `ext/pdo` isn't about security. In fact, depending on the PHP version, `PDO` may be less secure than `ext/mysql` (specifically due to the [lack of ability to set the charset prior to 5.3.6](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection/12202218#12202218)). So even though people frequently cite "security reasons", it's a BS answer. Yes, Prepared Statements are better. But that doesn't mean `ext/mysql` when used properly isn't secure... – ircmaxell May 31 '13 at 15:09
3

True, mysql isn't *insecure* per se; it's just more difficult to *use it securely*, or rather *"it's very easy to use it insecurely"*. You can always shoot yourself in the foot with any MySQL library, of course. – deceze May 31 '13 at 15:10
Definitely. Not arguing that point (or that it should or shouldn't have been deprecated). Just clarifying that it wasn't because you *can't* secure `ext/mysql`... Which I have heard some very prominent developers say... – ircmaxell May 31 '13 at 15:13
Quote: *Due to these reasons the mysql extension will be removed sometime in the future* ..... it's worth emphasising that this "sometime in the future" is getting very close, because it's happening in PHP 5.5, which is in beta now and will be fully released within a couple of months now. – Spudley May 31 '13 at 15:31
@Spudley It's not being removed in 5.5, they're just going to make it raise notices to encourage people to move away from it. Removal probably won't be for another couple of releases (i.e. years) – IMSoP May 31 '13 at 15:47
@IMSoP - recent history says that PHP features are removed in the next version after they're formally deprecated. But yes, point taken. :) – Spudley May 31 '13 at 15:51

score 3 · Answer 2 · edited Jun 20 '20 at 09:12

Deprecation

As far as I know, it's Oracle folks responsible for the support, just refused to do so anymore. That's seems to be the main reason.

All other reasons are but silly excuses. There are a ton of extension in the PHP of the same age, happily up and running. Some new features in a modern version is not a reason to deprecate an older one. And of course, there is no security problem with library itself but rather with library users.

does this mean I should cease to use them in my sites?

It depends.

For the legacy code, I doubt it worth starting for emergency rewriting.
As for the brand new projects - the answer is fairly simple:

you just shouldn't use whatever API calls in the application code but in the DBAL library only.

It will not only make whole driver problem negligible (as you will only need to rewrite a relatively small library code in order to change drivers) but also it can make your code dramatically shorter and cleaner.

Performance

Speaking of the performance difference, there is an interesting thing to mention. The Internet is indeed full of benchmarks telling you that X is faster than Y by Z times. But how one can tell a good benchmark from a bad one? It's hard to tell in general. Generally speaking, when writing a test, one have to understand what are they doing. Unfortunately, most of test-writers don't.

Let's take one linked in your question.

By including connection code in the loop, the author merely benchmarking connection time, but not what he was intended to measure. The results are quite predictable.
Because

connection is known to be a relatively resource-consuming operation
mysql_connect() never actually reconnects (if not told explicitly), but rather use last opened connection instead.

So we have mysql ext dramatically faster as a result. No wonder, as both mysqli and PDO had to connect all the thousands times, while mysql had to connect only once.

With connect removed from the iterated code, results dramatically change, showing total insignificance.

There are many other pitfalls in this test but the idea remains the same:

NEVER run idle benchmarks out of nowhere. But always do any benchmarks only if you have a reason to and in the real environment. Otherwise you will measure anything but whatever meaningful numbers.

`mysql_*()` uses the mysqlnd driver under the hood. So it's not because libmysql isn't supported (as it's not even used by default for that extension)... — ircmaxell, May 31 '13 at 14:51
Ok, it was stupid assumption. Though I heard that mysql folks are involved in the mess. — Your Common Sense, May 31 '13 at 14:57
Yes, they are involved (and were some of the people making the recommendations)... — ircmaxell, May 31 '13 at 14:59

score 1 · Answer 3 · answered May 31 '13 at 14:51

1

Why are they deprecated?

Well, the fundamental reason is that the API was poorly designed. The mysqli library was created as a direct replacement for it, with better API design.

Yes, there are issues with the internal code for the library which means that it needs to be replaced, but if the API had been better designed in the first place, the mysqli library need not have been written; the improved code could simply have been swapped in to the existing library and we as developers could have carried on using the existing functions without needing to even know that things had changed internally.

However, that wasn't the case. The original API did have some critical design flaws which meant that when the PHP developers wanted to improve things, there were issues that meant that they could not do this.

Therefore, the best course of action for them was to provide a new API and deprecate the old one.

answered May 31 '13 at 14:51

Spudley

166,037
39
233
307

3

If that was the truth (the API was poorly designed), why isn't 90% of the PHP std lib deprecated? ;-) – ircmaxell May 31 '13 at 14:56
@ircmaxell *"If you want to fix PHP, use [Python/Ruby/$otherRivalLanguage]"*? ;) – deceze May 31 '13 at 14:58
2

Speaking of *poor design* I'd give the palm to mysqli prepared statements, which is just insane, involving call_user_func_array for almost whatever commonplace operation – Your Common Sense May 31 '13 at 15:00
Absolutely agree there! Whoever thought about references there needs a talkin to... – ircmaxell May 31 '13 at 15:02
@ircmaxell - okay, hypothetically... let's say that the original ext_mysql API was identical from day-one to what we now know as ext_mysqli; so, eg the connection variable wasn't optional, etc. Now, fast fwd to when they decided to write mysqli: there's some flaws in the internals, there's some things to add (prep statements), but the core API is "perfect" (as they saw it at the time). Question: Given that, would they still have created ext_mysqli, or would they have simply rewritten the ext_mysql internals? – Spudley May 31 '13 at 15:14
1

@Spudley: difficult question to answer. So difficult that it's not really answerable... – ircmaxell May 31 '13 at 15:16
@Spudley If hypothetically only the internals were complicated, yet it was possible to replace them entirely without changing the outward facing API at all and thereby breaking existing code... the answer seems obvious. The low-level C connector was replaced in exactly this manner (mysqlnd). – deceze May 31 '13 at 15:19
@ircmaxell - yeah, I can appreciate that! :-) It really was just hypothetical. My guess is that they would have rewritten the internals and kept the API; that was the thrust of my answer. – Spudley May 31 '13 at 15:28

score -1 · Answer 4 · answered May 31 '13 at 14:51

Feature comparison

As it lacks features simply expected nowadays, it´s not longer worth maintaining. As PHP tries to keep a slim API (...), you can expect it to be eventually removed. It´s like with IE7: YOu can´t expect to use it until it "disapears". You must stop usage yourself.

Picture from http://php.net/manual/en/mysqlinfo.api.choosing.php

Why are PHP's mysql_ functions deprecated?

4 Answers4

Deprecation

Performance

Linked