[header image]
When you are writing a new PHP application or updating an older one, you will want to be careful to make sure you no longer use the old (and now removed) ext/mysql extension. If you use a PHP version less than 7, this extension will still work, so older information suggesting the use of its functions might seem perfectly fine.
However, doing so could not only limit your application, it could also make it much more prone to the dreaded MySQL injection breach that could cause your organization a great deal of trouble if such an attack should succeed.
The ext/mysql extension was an extension created to allow PHP to connect to and query a MySQL database, thus allowing a PHP application the ability to easily make use of a database to store and retrieve information. It was introduced in PHP 2, and was included in PHP 5, and was therefore readily available to anyone wanting to make use of MySQL with a PHP application.
The ext/mysql extension allowed for a few simple lines of code to be able to connect to a database:, as shown below:
$dblink = mysql_connect(‘localhost’, ‘username’, ‘password’);
mysql_select_db(‘db_name’, $dblink);
mysql_set_charset(‘UTF-8’, $dblink);
From here, you could easily make use of its functions to perform various tasks. For example, a query could be run using the myql_query function:
$result = mysql_query(“SELECT * FROM table_name”, $dblink) or die(mysql_error($dblink));
As you can see, interaction with a database was a fairly easy task, and with the extension already included, it was a quick way to get a PHP application connected to and querying a MySQL database.
As noted, one major reason to switch to a different extension for connection to a database is that the ext/mysql extension was deprecated in PHP 5, then completely removed from version 7. As a result, if you were to upgrade to PHP 7 and were still using the old extension, then the code to connect to and query your database would no longer work and your application would be broken until you could make the necessary changes to use a supported extension.
If the PHP update is not tested before being updated in production, you will have a broken application and will have to try to revert back to the older PHP version you had previously or will have to try to make the changes needed to have the application use a supported extension as quickly as possible while users are waiting for the fix to be complete.
While these situations can be avoided with proper testing and code updates being put in place before the change is moved to production, you can save yourself a few headaches by starting with an up to date extension (or setting aside some time to switch to and up to date one in any older PHP applications).
Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.
Source: OWASP
The ext/mysql extension lacks a number of features that other extensions can offer. These include things such as the following:
Prepared statements and parameterized queries – According to OWASP, these are extremely helpful in preventing MySQL injection attacks, thus a very good thing to have available.
Non-blocking, asynchronous queries – For some applications, this can be quite a helpful feature to keep an app feeling snappy and responsive even while waiting for more than one query result to be returned.
Latest MySQL functionality – The extension was built for MySQL 3.23, which is now quite dated. As a result, many MySQL features you could be using are not available, which could slow down or hinder the development of your app.
PHP.net shows two other popular extensions that have been included with PHP since version 5 and are still actively updated: ext/mysqli and PDO_myql. You will want to choose whichever one suits your needs the most.
The ext/mysqli extension has some similar syntax and function names to ext/mysql while adding new features such as asynchronous, non-blocking queries. The PDO_mysql extension offers a more object-oriented approach and can be used to connect to multiple database types instead of only being tied to a MySQL database. In either case, using one of these will put you in a far better place with your PHP applications moving forward!
