Why are PHP's mysql

 

This question already has an answer here:

  • Why shouldn't I use mysql_* functions in PHP? 14 answers

    • The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

    The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

    Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

    Given all this, there's no reason to keep using it except for inertia.

    * These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

    Choice quotes from that document follow:

    The documentation team is discussing the database security situation, and educating users to move away from the commonly used ext/mysql extension is part of this.

    Moving away from ext/mysql is not only about security but also about having access to all features of the MySQL database.

    ext/mysql is hard to maintain code. It is not not getting new features. Keeping it up to date for working with new versions of libmysql or mysqlnd versions is work, we probably could spend that time better.

    Why are they deprecated?

    Well, the fundamental reason is that the API was poorly designed. The mysqli library was created as a direct replacement for it, with better API design.

    Yes, there are issues with the internal code for the library which means that it needs to be replaced, but if the API had been better designed in the first place, the mysqli library need not have been written; the improved code could simply have been swapped in to the existing library and we as developers could have carried on using the existing functions without needing to even know that things had changed internally.

    However, that wasn't the case. The original API did have some critical design flaws which meant that when the PHP developers wanted to improve things, there were issues that meant that they could not do this.

    Therefore, the best course of action for them was to provide a new API and deprecate the old one.

    Deprecation

    As far as I know, it's Oracle folks responsible for the support, just refused to do so anymore. That's seems to be the main reason.

    All other reasons are but silly excuses. There are a ton of extension in the PHP of the same age, happily up and running. Some new features in a modern version is not a reason to deprecate an older one. And of course, there is no security problem with library itself but rather with library users.

    does this mean I should cease to use them in my sites?

    It depends.

  • For the legacy code, I doubt it worth starting for emergency rewriting.
  • As for the brand new projects - the answer is fairly simple:

    • you just shouldn't use whatever API calls in the application code but in the DBAL library only.

    It will not only make whole driver problem negligible (as you will only need to rewrite a relatively small library code in order to change drivers) but also it can make your code dramatically shorter and cleaner.

    Performance

    Speaking of the performance difference, there is an interesting thing to mention. The Internet is indeed full of benchmarks telling you that X is faster than Y by Z times. But how one can tell a good benchmark from a bad one? It's hard to tell in general. Generally speaking, when writing a test, one have to understand what are they doing. Unfortunately, most of test-writers don't.

    Let's take one linked in your question.

    By including connection code in the loop, the author merely benchmarking connection time , but not what he was intended to measure. The results are quite predictable.
    Because

  • connection is known to be a relatively resource-consuming operation
  • mysql_connect() never actually reconnects (if not told explicitly), but rather use last opened connection instead.

    • So we have mysql ext dramatically faster as a result. No wonder, as both mysqli and PDO had to connect all the thousands times, while mysql had to connect only once.

    With connect removed from the iterated code, results dramatically change, showing total insignificance.

    There are many other pitfalls in this test but the idea remains the same:

    NEVER run idle benchmarks out of nowhere. But always do any benchmarks only if you have a reason to and in the real environment. Otherwise you will measure anything but whatever meaningful numbers .

    链接地址: http://www.djcxy.com/p/26576.html

    上一篇: 用PHP连接数据库的最安全的方法是什么?

    下一篇: 为什么PHP的mysql