4

In PHP, it is possible to do things like $results = mysql_query("select ....");

(see how no link identifier was provided).

The only thing that requires is that a mysql_connect() function has been called before, successfully.

Now I tend to alway provide a link identifier but I don't really know why.

Is calling queries without a link identifier any less secure than the other way (providing the link identifier in every query)?

Felipe
  • 11,557
  • 7
  • 56
  • 103
  • 1
    You're just not taking advantage of PHPs default connection handling. But it has no security implications either way. – mario May 20 '11 at 01:35

3 Answers3

3

The link identifier is needed when you have an application that needs to connect to more than one database server in the same request/transaction.

It's a good idea to use it even if you only have one database. "Explicit is better." Oh wait, that's Python.

AJ.
  • 27,586
  • 18
  • 84
  • 94
  • I mean does it reduce the robustness of the system? – Felipe May 20 '11 at 01:32
  • See my updated answer. You never know, at some point, you may add a second database, and you'll be kicking yourself if you have to refactor a bunch of code. – AJ. May 20 '11 at 01:32
  • 1
    to more than one MySQL SERVER! Not database! – Nemoden May 20 '11 at 01:32
  • Sorry, you're right, that was unnecessarily ambiguous. I updated my answer. – AJ. May 20 '11 at 01:34
  • @Nemoden Generally: *if you open more than one connection*. – deceze May 20 '11 at 01:34
  • is there any reason to use mysql_query over mysqli_query? mysqli_query requires the link identifier – yitwail May 20 '11 at 01:36
  • 1
    @yitwail - I won't attempt to reinvent the wheel of thinking on that question, but here's a good SO thread that took this up already: http://stackoverflow.com/questions/548986/mysql-vs-mysqli-in-php – AJ. May 20 '11 at 01:38
  • @AJ, thanks for the link. FYI, the PHP online doc says (regarding mysqli)--If you are using MySQL versions 4.1.3 or later it is strongly recommended that you use this extension--but neglects to say why. – yitwail May 20 '11 at 01:42
  • Yep, keep reading down that page. It goes on to say quite a bit more about server features that are only supported in mysqli. – AJ. May 20 '11 at 01:44
  • I read all that, AJ. If you need the features that mysql lacks, then mysqli is obviously necessary, but the *strong* recommendation seems to be unconditional. I for one use mysqli by the way, even though mysql would suffice. – yitwail May 20 '11 at 02:06
2

No, it is not any less safe.

However, using mysql_*() functions are less safe than PDO because they don't have parameter binding by default.

If you switcht to PDO and use bindParam(), then it is safer than mysql_*().

alex
  • 479,566
  • 201
  • 878
  • 984
1

If the system will never connect to multiple databases, there are no consequences in practice. I'm sure there are some in theory, which I will be informed of via flaming comments in no time!

David Fells
  • 6,678
  • 1
  • 22
  • 34