PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*?

Question

On first inspection of the differences in application of the mysql*() and mysqli*() families of functions, it appears to me that

$seta = mysql_query("SELECT * FROM table WHERE field = $Filter", $database);

Can be rapidly replaced with:

$seta = mysqli_query($database, "SELECT * FROM table WHERE field = $Filter");

Similarly, it also appears that

IF ($A = mysql_fetch_array($seta)) {
    do {
    //code here
    } while ($A = mysql_fetch_array($seta));
}

Could be replaced with:

IF ($A = mysqli_fetch_array($seta)) {
    do {
    //code here
    } while ($A = mysqli_fetch_array($seta));
}

Will this work the way I am expecting it to? As it worked before mysqli*()?

PLEASE NOTE: I am not asking if I SHOULD do this, only if I CAN do this. I know full well that slapping a band-aid on a broken leg is useless... That said, I don't have that many hours of coding/testing time before the Demo in March this is being prepped for.

Yes, I understand the this is vulnerable code. I won't go to production without safeguards. I also realize that I am not using all the power of the mysqli*() family of functions this way.

My goal is to refactor everything properly when there isn't such a heavy time crunch (Yes, I know, famous last programmer words). I just need the patched code to run for a Demo then I can retire it.

I have high hopes that with a working prototype -- both in situ and on a server I'm spinning up just to demonstrate the need for software updates -- I'll be able to leave the PHP v4.x blues behind.

Project:
PHP/MySQL better user searching

Also checked:
How to upgrade from mysql* to mysqli*?
PHP Migrating from mysql* to mysqli
Above titles were trimed of underscores to prevent formatting

what's the question/problem? *"I am not asking if I SHOULD do this, only if I CAN do this."* - what is stopping you? — Funk Forty Niner, Jan 17 '17 at 18:28
@fred-ii Forgive me, I thought my question was clear. Post edited. I'm asking if my understanding of the syntax/operation of the the function families is correct in the most basic of sense. — Sandor Dosa, Jan 17 '17 at 18:31
*"Will this work the way I am expecting it to? As it worked before mysqli*()?"* - Try it out on a test db/script. If there are no syntax errors, I can't see how it would fail. Just remember that there are a few `mysqli_` functions that require a db connection be passed as the first argument. Once you've done that, then everything should go as planned. Just remember that you can't mix different MySQL APIs though. — Funk Forty Niner, Jan 17 '17 at 18:33
Well, if it's *temporary* and you understand that slapping on an `i` and shuffling parameters around you're not doing yourself (1) any API favours or (2) simplifying things down the road... -- But you *do* know about user-defined functions, right? So, why not avoid tying yourself to a specific interface when you're rewriting anyway? Or is your question about any more complex use cases? — mario, Jan 17 '17 at 18:40
@mario the TL:DR is the controlling authority doesn't believe the production server is broken. Nor does he care that we are three major versions of PHP behind. I've got to prove the need. I'll use MAMP and my MacBook to do this. MAMP does not offer a PHP 4.4.9 build so I have to translate the code on a clone of the production server just to run. — Sandor Dosa, Jan 17 '17 at 18:54

score 2 · Accepted Answer · answered Jan 17 '17 at 18:53

The quick and dirty method, with emphasis on dirty, is to do it this way by converting mysql_query to mysqli_query and so on. The problem is mysql_query is really clunky to use so preserving that coding style is not going to help clean anything up.

Although I'd strongly recommend switching to PDO, it's a more flexible and capable database layer, if you want mysqli then what you want to do is employ parameterized queries and bind_param to add user data to your query. This solves the vast majority of SQL injection bugs out of the gate. I'd also suggest using the object-oriented interface so your updated code is obvious. The difference of a single i can be easy to overlook, plus it's typically less verbose.

In other words, your replaced code looks like:

$stmt = $database->prepare("SELECT * FROM table WHERE field=?");
$stmt->bind_param('s', $filter);
$res = $stmt->execute();

If you're disciplined about doing this you should catch all your SQL mistakes.

PDO is nicer because of named parameters:

$stmt = $database->prepare("SELECT * FROM table WHERE field=:filter");
$res = $stmt->execute(array('filter' => $filter));

That usually means less code in the long-run.

Hmmm. First off, thank you. The point of trying a quick and dirty drop in replacement was to save time for testing. I don't fully grok your answer, though I know I ought to. I'm hoping to clone to a local IDE, and that means using mysqli*() just to get it to work where I can test. If I don't change anything else I can backtrack to the production server and after the demo fix it right. I don't think I have time to it right the first time. — Sandor Dosa, Jan 17 '17 at 19:37
Make sure you have some kind of version control in place here. Whenever making changes this pervasive you'll want to be able to *diff* your code and make sure you didn't mangle other things. Have a look at [PHP the Right Way](http://phptherightway.com) for ways you can improve your code base while you're having a good look at it. — tadman, Jan 17 '17 at 20:00
Absolutely. Thankful the entire project is under 10k lines in total, and while we had someone 'CSS' it a couple years back, the underlying code is all mine. — Sandor Dosa, Jan 17 '17 at 20:02

PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*?

1 Answers1