Why Shouldn't I Use MySQL_* Functions in PHP

Why shouldn't I use mysql_* functions in PHP?

The MySQL extension:

  • Is not under active development
  • Is officially deprecated as of PHP 5.5 (released June 2013).
  • Has been removed entirely as of PHP 7.0 (released December 2015)

    • This means that as of 31 Dec 2018 it does not exist in any supported version of PHP. If you are using a version of PHP which supports it, you are using a version which doesn't get security problems fixed.
  • Lacks an OO interface
  • Doesn't support:

    • Non-blocking, asynchronous queries
    • Prepared statements or parameterized queries
    • Stored procedures
    • Multiple Statements
    • Transactions
    • The "new" password authentication method (on by default in MySQL 5.6; required in 5.7)
    • Any of the new functionality in MySQL 5.1 or later

Since it is deprecated, using it makes your code less future proof.

Lack of support for prepared statements is particularly important as they provide a clearer, less error-prone method of escaping and quoting external data than manually escaping it with a separate function call.

See the comparison of SQL extensions.

Why are PHP's mysql_ functions deprecated?

The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

Given all this, there's no reason to keep using it except for inertia.


* These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

Choice quotes from that document follow:

The documentation team is discussing the database security situation,
and educating users to move away from the commonly used ext/mysql
extension is part of this.

 

Moving away from ext/mysql is not only about security but also about
having access to all features of the MySQL database.

 

ext/mysql is hard to maintain code. It is not not getting new
features. Keeping it up to date for working with new versions of
libmysql or mysqlnd versions is work, we probably could spend that
time better.

MySQL Functions Do Not Work

Most hosting providers do not allow external access to the databases they include with their plans. Not only that, most of them use localhost as a database server so as to force a socket connection (so that they can even disable network connections to their DBs altogether).

To test your script and site locally you will need to download a dump of your database and create a local version of it on your own.

Other issues with your code

As mentioned in comments you are:

  • You should be using the MySQL Improved Extension, instead of the old (and deprecated) MySQL extension
  • You are not sanitizing data you use for your queries (use prepared statements)
  • MD5 is not secure for passwords, you should be using the new password_hash instead

Why is it unsafe to pass a value to a PHP function to then escape it and return it back

There's nothing unsafe per se, but using prepared statements/binding values is preferred over escaping inputs explicitly. The latter is potentially unsafe for a couple reasons:

  • You may forget to escape an input
  • You may accidentally escape the same input twice

Can't use Database Variable in Functions PHP

With php, you need to use global to access a variable outside the function:

 function getModelCountByManuid($manu_id){
global $db;
$sql = 'SELECT COUNT(id) as counti FROM tire_model WHERE cat_id_manufacturer = ' . $manu_id;
$result = $db->rawQuery($sql, Array(10));
}

Сall a function inside a request MySQL PHP

You can do it by creating a variable ($value) to hold the value, then using that in your SQL statement:

$value = SumSquares($value);
$MySQL->query("INSERT INTO `your_table` (`id`, `val`) VALUES ($id, $value);");

I don't understand why this php function is not working

You defined $multy variable outside of the function, so you need to pass it as a second parameter. So your code will be like this :

$multy = [
[
'staff' => 'ben', 'job' => 'cooking', 'salary' => 1500,
],
[
'staff' => 'cy', 'job' => 'chef', 'salary' => 2000,
],
[
'staff' => 'sylva', 'job' => 'software engineer', 'salary' => 15000,
],
];

function checkingList($name, $multy){
foreach($multy as $mult){
if($mult['staff'] === $name){
echo $mult['staff'] .', You are hired. Your job is ' . $mult['job'].' and your salary is '. $mult['salary'];
}
}
}
checkingList('cy', $multy);
// cy, You are hired. Your job is chef and your salary is 2000

Above code tested here



Related Topics



Leave a reply



Submit