0

I have a site written in PHP with sql code, what is the best way to upgrade my code to sqli? any training or tutorials? how to have clear PHP code?

mysql_connect("localhost","root","");
mysql_select_db("timer");
mr.soroush
  • 1,110
  • 2
  • 14
  • 31
Asghar Ali
  • 13
  • 5
  • 1
    If you look at rewriting anyway, why not use [PDO](http://de2.php.net/manual/de/book.pdo.php) - even more future-proof and gives you added flexibility, since exchanging db will be done easily... (Upps, STT LCU beat me - sry for repeating, my typing is too slow...) – MBaas Aug 01 '13 at 06:35

1 Answers1

0

The documentation touches that, to some extent, e.g. here. You can use the same function names, just prefixed with mysqli instead of mysql for the most part, apparently.

From there you should be able to swap out parts of your code with better constructs in mysqli, e.g. parametrised statements instead of manually concatenating SQL.

Joey
  • 344,408
  • 85
  • 689
  • 683
  • just start writing with sqli? no change or something needed? – Asghar Ali Aug 01 '13 at 06:55
  • Well, you cannot use a connection started with `mysql_connect` with `mysqli_query`, so you have to upgrade all places at once. But apart from that the procedural interface seems to be largely the same. – Joey Aug 01 '13 at 07:05
  • and could you tell me what is the difference? why sqli preferred? – Asghar Ali Aug 01 '13 at 07:16
  • There is a [feature matrix](http://de2.php.net/manual/en/mysqlinfo.api.choosing.php) in the documentation. Short story is that the `mysql` extension is old, clunky and doesn't support newer features in the server at all. I suspect a large reason why they didn't just improve the `mysql` extension is backwards compatibility and the large risk of breaking pretty much everything out there. – Joey Aug 01 '13 at 07:24