Why Are PHP's MySQL_ Functions Deprecated

Why are PHP's mysql_ functions deprecated?

The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

Given all this, there's no reason to keep using it except for inertia.

---

* These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

Choice quotes from that document follow:

The documentation team is discussing the database security situation,
and educating users to move away from the commonly used ext/mysql
extension is part of this.

　

Moving away from ext/mysql is not only about security but also about
having access to all features of the MySQL database.

　

ext/mysql is hard to maintain code. It is not not getting new
features. Keeping it up to date for working with new versions of
libmysql or mysqlnd versions is work, we probably could spend that
time better.

Why shouldn't I use mysql_* functions in PHP?

The MySQL extension:

• Is not under active development
• Is officially deprecated as of PHP 5.5 (released June 2013).
• Has been removed entirely as of PHP 7.0 (released December 2015)
  
  
  • This means that as of 31 Dec 2018 it does not exist in any supported version of PHP. If you are using a version of PHP which supports it, you are using a version which doesn't get security problems fixed.
• Lacks an OO interface
• Doesn't support:
  
  
  • Non-blocking, asynchronous queries
  • Prepared statements or parameterized queries
  • Stored procedures
  • Multiple Statements
  • Transactions
  • The "new" password authentication method (on by default in MySQL 5.6; required in 5.7)
  • Any of the new functionality in MySQL 5.1 or later

Since it is deprecated, using it makes your code less future proof.

Lack of support for prepared statements is particularly important as they provide a clearer, less error-prone method of escaping and quoting external data than manually escaping it with a separate function call.

See the comparison of SQL extensions.

mysql_ deprecated

According to the PHP Manual, you should use any of the following:

• mysqli_stmt_num_rows()
• PDOStatement::rowCount()

To be clear though, neither of these is a mere substitute for mysql_num_rows(). Your code must eventually be rewritten entirely to use the MySQLi or PDO API in lieu of mysql_*().

PHP - is mysql_prep deprecated

mysql_prep must be some user defined function. It does not exist in the php docs.

http://php.net/manual-lookup.php?pattern=mysql_prep&scope=quickref

Look inside this function in your own code and if it has any references to mysql_ functions then consider it deprecated. All mysql_ functions are deprecated as of PHP 5.5 and are removed in PHP 7.

Use mysqli_ functions or PDO instead.

---

Related Topics