Using MySQLi and PDO instead of MySQL_*

By
Published ~ 5 minutes read

It is time to deal with mysql_* functions once and for all. These methods are deprecated and slow. The time to upgrade has long passed yet we still see it everywhere. Since I cannot force every author to update their tutorial and blogs, I decided to write a post to hopefully rank better and provide the essential information to help new comers.

Old tutorial are still leading on the web.

I do try to contribute as much as I can and Stackoverflow.com is my platform of choice. When I see people asking questions tagged php and mysql, I automatically know that someone will be using a deprecated function and that the code is vulnerable to SQL injection.

It may look like it will take a while before people move on from mysql_* functions however the community at stackoverflow is doing a pretty good job. In less than a minute after a question is asked, users start commenting about the deprecated functions and say: "mysql_* is deprecated, use mysqli or pdo", and all 3 keywords are hot-linked with their corresponding article.

I do feel however that simply reading the manual doesn't necessarily help. Seeing a real example may provide with more specific use case and help new users make their application more secure.

Switch mysql_* to mysqli or pdo

Make the switch: use MySQLi or PDO

Lets get down to it right away.

Connecting to a database.

Before having any interaction with the database, you have to connect to it: 

$mysqli = new mysqli('localhost','username','password','database');

Now that we have a connection we can query our data from our tables, 

$result = $mysqli->query("SELECT * FROM mytable LIMIT 10");

Note:
The MySqli driver gives you the option of using it in a object oriented way and functional way. For this particular example I used OO. Using it with functions is not very much different than how it worked with mysql_* . All you have to do is replace mysql_* with mysqli_* and it will work in most cases.

MySqli real world example

When you want to pass data in your query, mysqli allows you to use parameters to make it easier and more secure; no sql injection.

Let's say we want to add pagination to our website and our variable that determines the page is in the URL query. Here is how we would write it.

URL: http://example.com/show/books.php?page=1 

$page = $_GET['page']; 
$perpage = 10; // the number of results per page
$offset = ((int)$page-1) * $perpage; // geting the page offset 
$query = "SELECT id,name,author FROM books LIMIT ?,? "; 

// Connect to the database
$mysqli = new mysqli('localhost','username','password','database'); 

// stop if there is an error; 
if ($mysqli->connect_error){ // improve your error handler for extra points
    die("$mysqli->connect_errno: $mysqli->connect_error"); 
} 

// Binding parameters 
$statement = $mysqli->prepare($query); 
$statement->bind_param("ii",$offset,$perpage); 
$statement->execute();
$statement->bind_result($id,$name); 

// Get results
$result = $statement->get_result();

Same example using mysqli_* (non object oriented)

$page = $_GET['page']; 
$perpage = 10; // the number of results per page
$offset = ((int)$page-1) * $perpage; // getting the page offset 
$query = "SELECT id,name,author FROM books LIMIT ?,? "; 

// Connect to the database
$connection = mysqli_connect('localhost','username','password','database'); 

// stop if there is an error; 
if (mysqli_connect_errno()){ // improve your error handler for extra points
    die(mysqli_connect_errno().": ".mysqli_connect_error()); 
} 

// Binding parameters 
$stmt = mysqli_prepare($connection,$query); 
mysqli_stmt_bind_param($stmt, "ii",$offset,$perpage);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id,$name);
mysqli_stmt_fetch($stmt);

// Get results
mysqli_stmt_get_result($stmt);

Converting from mysql to mysqli is not very complicated. These example should be pretty straight forward and for any additional information you can consult the manual

Note:
If you are hosting your app on a shared hosting provider you might want to check with support to see if they support mysqli. Worst case scenario you can move your website to digitalocean.com. You will have much more control for virtually the same price.

Do you want to know more about MySqli and why you should use it? There is and in depth manual here that should answer all your questions.

On a related note, here are some interesting articles.

Fixing a 3 year old hack

Fixing a 3 year old hack

One of the sites I worked on was regularly getting hacked. The attacker did not leave much traces and eventually we learned how to deal with the symptoms of the attack rather than fix it. The common agreement was that maybe he was exploiting a bug in the framework. Recently, I did a deployment and didn't follow the exact procedures and we got hacked again. I got mad for getting blamed for it and decided it was time take a deeper look into the problem.

SQL injection and how to protect your website

SQL injection and how to protect your website

Experienced developers are expensive. In a world where cutting cost seems like the best option, companies try to maximize their profit by spending less and less on good talent. It is much cheaper to hire someone who just learned php a few weeks ago then a seasoned developer. But it becomes a very bad investment when the newbie introduces insecure code. The problem is, a lot of things learned from those LAMP CRUD application tutorial do not focus much on security. When this code is introduced to a commercial application, the damage can be very expensive. I like how stackoverflow users are fighting very hard to eradicate SQL injection, I am doing my part too but it seems like it is much easier to find insecure code on-line. That said, I will attempt to scare you off your feet so you know better what is the cost of SQL injection.

Abstracting MySql results in PHP

Abstracting MySql results in PHP

If there is one thing a web server does everyday it iss connecting to the database. I have been using PHP for many years now, but if you ask me to write a script to fetch data from the database I couldn't do it without going back to the Ultimate PHP manual to find a few examples first.

View all articles

Comments(3)

agenify :

Naturally like your website but you need to check the spelling on quite a few of your posts. Many of them are rife with spelling problems and I find it very troublesome to tell the truth, nevertheless I'll certainly come back again.

Ibrahim :

Thanks @agenify, there is no trouble telling the truth. I know that I have many spelling mistakes and I certainly don't take much time to correct them. But a message like yours is just what I need to get back and fix them all.

Thank you :)

bengkel poker :

Fucking awesome things here. I'm very glad to see your article. Thanks a lot and I am looking forward to contact you. Will you please drop me a e-mail?

Let's hear your thoughts

For my eyes only