PHP: mysql v mysqli v pdo [closed]

by

The design of the mysql_query function is such that you’ve got to be careful to escape each and every bit of data you’re injecting into it, and if you miss even one your entire application can be destroyed by an automatic SQL vulnerability exploit tool.

Both mysqli and PDO support placeholders which are required to ensure that your queries are safe from SQL injection bugs. Calling mysql_real_escape_string on everything is not only tedious, but error-prone, and that’s where the problems arise.

The mysql functions are a product of the very early days of PHP and are significantly more limited than the new object-oriented features offered by both mysqli as an option, or PDO by design.

There’s a number of very good reasons to use one of these two new interfaces, but the most important is that the mysql_query function is simply too hazardous to use in production code. With it you will always be one mistake away from some very serious problems.

There’s a reason rips of databases full of passwords and credit card numbers keep showing up. Having an obvious SQL injection point makes it almost too easy to completely take over a site.

More Related Contents:

  1. Can I mix MySQL APIs in PHP?
  2. How to check if a row exists in MySQL? (i.e. check if username or email exists in MySQL)
  3. mysqli or PDO – what are the pros and cons? [closed]
  4. How to prevent duplicate usernames when people register?
  5. What is the difference between MySQL, MySQLi and PDO? [closed]
  6. PHP PDO and MySQLi [duplicate]
  7. Unknown database error in PHP but it exists in PHPMyAdmin
  8. PHP PDO and Mysql [closed]
  9. How to properly set up a PDO connection
  10. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  11. PHP PDO prepared statements
  12. Example of how to use bind_result vs get_result
  13. mysqli::query(): Couldn’t fetch mysqli
  14. PHP MySQLI Prevent SQL Injection [duplicate]
  15. mysql PDO how to bind LIKE
  16. How to test if a MySQL query was successful in modifying database table data?
  17. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in [duplicate]
  18. How to install pdo driver in php docker image?
  19. MYSQLi error: User already has more than ‘max_user_connections’ active connections [duplicate]
  20. MySQL retrieve variable from Stored Procedure in PHP PDO
  21. Understanding pdo mysql transactions
  22. In PHP with PDO, how to check the final SQL parametrized query? [duplicate]
  23. Error while using PDO prepared statements and LIMIT in query [duplicate]
  24. PDO prepared statement fetch() returning double results
  25. SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
  26. PDO::rowCount VS COUNT(*)
  27. mysqli prepared statement num_rows returns 0 while query returns greater than 0 [duplicate]
  28. PDO bindParam into one statement?
  29. What is the PDO equivalent of function mysql_real_escape_string?
  30. Installing PDO driver on MySQL Linux server

Leave a Comment