0

I've decided to switch to MySQLi, because some people have told me it's more secure.. What I'm really confused about, is the new extensions. I tried just added 'i' after every mysql, but that gave me a crap load of errors. I looked up in the PHP manual why that was happening and there was a whole bunch of other functions.. I honestly can't figure out how to convert. Can you help me out? 

include("dbinfo.php");
mysql_connect($c_host,$c_username,$c_password);
@mysql_select_db($c_database) or die(mysql_error());
$mycon = new mysqli($c_host, $c_username, $c_password, $c_database);
$query="SELECT * FROM users WHERE username='" .$_COOKIE['username']. "'";
$result=mysql_query($query) or die(mysql_error());
$num=mysql_numrows($result);
$username=mysql_result($result,$i,"username");
Seth
  • 2,043
  • 5
  • 20
  • 23
  • 1
    Here's a start. Use [`mysqli_escape_string`](http://www.php.net/manual/en/function.mysqli-escape-string.php) to properly escape what's in `$_COOKIE['username']` before executing the query. – Linus Kleen Jan 09 '11 at 17:22
  • That's seriously do the trick? Is this all I need? – Seth Jan 09 '11 at 17:23
  • 2
    Did you read the documentation (http://php.net/manual/en/book.mysqli.php)? Usually, you're not going to be able to transition from one library to another just by changing the names of functions. Many of those functions' arguments and return values will have changed. Nobody writes a library to exactly re-create an existing library. – asthasr Jan 09 '11 at 17:23
  • Yea, I read most of it. I saw that the parameters were very different. All I need is help with my transition. – Seth Jan 09 '11 at 17:25
  • 1
    By adding just i to the mysql commands you will gain no security. Go figure – Your Common Sense Jan 09 '11 at 17:48
  • To be honest, your guys's answers haven't helped me any more than before I asked. :/ – Seth Jan 09 '11 at 17:50
  • 1
    To be honest, this is a poor question. There are multiple ways to convert this to the mysqli library, all of which should be clear if you read the documentation. Just adding 'i' to the function names isn't one of them. – jasonbar Jan 09 '11 at 18:03
  • 3
    @Seth Sorry we're not prepared to do all your work for you. – John Parker Jan 09 '11 at 18:11

2 Answers2

8

Here's what you need to do:

  1. Read the overview so that have an understanding of the differences/advantages.

  2. Consult the old -> new function summary on the PHP site and get your existing code up and running with the mysqli interface.

  3. Take advantage of the improvements (such as using prepared statements) otherwise this is a futile exercise. (By default mysqli really isn't any more secure than mysql.)

John Parker
  • 54,048
  • 11
  • 129
  • 129
3

One of the reasons MySQLi is more "secure" is because it offers a different interface, which is better in many ways. Instead of trying to translate your code directly, learn the new interface and use it. If that's all your code, it wouldn't be easy to rewrite from scratch, and which is more important, look up the equivalents (and alternatives) for everything you're doing in the code that you pasted.

For starters, you should use $mysqli->prepare with parameters instead of interpolating variables like you're doing.

http://www.php.net/manual/en/mysqli.prepare.php

Rosh Oxymoron
  • 20,355
  • 6
  • 41
  • 43
  • To be honest, your guys's answers haven't helped me any more than before I asked. :/ – Seth Jan 09 '11 at 17:34