mobile logo

Why shouldn’t I use mysql_* functions in PHP?

Solution:1

The MySQL extension:

  • Is not under active development
  • Is officially deprecated as of PHP 5.5 (released June 2013).
  • Has been removed entirely as of PHP 7.0 (released December 2015)
    • This means that as of 31 Dec 2018 it does not exist in any supported version of PHP. If you are using a version of PHP which supports it, you are using a version which doesn’t get security problems fixed.
  • Lacks an OO interface
  • Doesn’t support:
    • Non-blocking, asynchronous queries
    • Prepared statements or parameterized queries
    • Stored procedures
    • Multiple Statements
    • Transactions
    • The “new” password authentication method (on by default in MySQL 5.6; required in 5.7)
    • Any of the new functionality in MySQL 5.1 or later

Since it is deprecated, using it makes your code less future proof.

Lack of support for prepared statements is particularly important as they provide a clearer, less error-prone method of escaping and quoting external data than manually escaping it with a separate function call.

See the comparison of SQL extensions.

Solution:2

First, let’s begin with the standard comment we give everyone:

Please, don’t use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi – this article will help you decide which. If you choose PDO, here is a good tutorial.

Let’s go through this, sentence by sentence, and explain:

  • They are no longer maintained, and are officially deprecatedThis means that the PHP community is gradually dropping support for these very old functions. They are likely to not exist in a future (recent) version of PHP! Continued use of these functions may break your code in the (not so) far future.

    NEW! – ext/mysql is now officially deprecated as of PHP 5.5!

    Newer! ext/mysql has been removed in PHP 7.

  • Instead, you should learn of prepared statementsmysql_* extension does not support prepared statements, which is (among other things) a very effective countermeasure against SQL Injection. It fixed a very serious vulnerability in MySQL dependent applications which allows attackers to gain access to your script and perform any possible query on your database.

    For more information, see How can I prevent SQL injection in PHP?

  • See the Red Box?When you go to any mysql function manual page, you see a red box, explaining it should not be used anymore.
  • Use either PDO or MySQLiThere are better, more robust and well-built alternatives, PDO – PHP Database Object, which offers a complete OOP approach to database interaction, and MySQLi, which is a MySQL specific improvement.