Hi,
On Sun, 2011-07-10 at 10:03 -0700, Philip Olson wrote:
> Greetings PHP geeks,
>
> Don't panic! This is not a proposal to add errors or remove this
> popular extension. Not yet anyway, because it's too popular to do that
> now.
>
> The documentation team is discussing the database security situation,
> and educating users to move away from the commonly used ext/mysql
> extension is part of this.
Moving away from ext/mysql is not only about security but also about
having access to all features of the MySQL database.
ext/mysql was built for MySQL 3.23 and only got very few additions since
then while mostly keeping compatibility with this old version which
makes the code a bit harder to maintain. From top of my head missing
features not support be ext/mysql include:
* Stored Procedures (can't handle multiple result sets)
* Prepared Statements
* Encryption (SSL)
* Compression
* Full Charset support
* ...
*
So moving away from ext/mysql is a good thing.
> This proposal only deals with education, and requests permission to
> officially convince people to stop using this old extension. This
> means:
>
> - Add notes that refer to it as deprecated
> - Recommend and link alternatives
> - Include examples of alternatives
+1
> There are two alternative extensions: pdo_mysql and mysqli, with PDO
> being the PHP way and main focus of future endeavors. Right? Please
> don't digress into the PDO v2 fiasco here.
I'm not sure the current PDO is "the" alternative. We (= MySQL/ORACLE)
focus mostly on mysqli, that's the extension providing access to all
current and future features of MySQL. True, many features could be added
to PDO but there are two design decision in PDO which make this bad:
* The parser used for identifying statement place holders is very
basic, as it is implemented in PDO core, not the drivers, which
leads to FRs like #54929 or the famous LIKE issue[1]
* driver-specific functions are implemented by using __call()
which means there is no good introspection mechanism to check
whether a feature is available or not in the current setup.
Besides these two items there are every now and then reports on
PDO_mysql which in fact are caused by limitations in the PDO design
which can't be bypassed by the driver implementation.
A good abstraction layer would certainly be good for the language but
for now we (=MySQL/ORACLE) consider mysqli the preference.
> What this means to ext/mysql:
>
> - Softly deprecate ext/mysql with education (docs) starting today
> - Not adding E_DEPRECATED errors in 5.4, but revisit for 5.5/6.0
> - Add pdo_mysql examples within the ext/mysql docs that mimic the current
> examples, but occasionally introduce features like prepared statements
> - Focus energy on cleaning up the pdo_mysql and mysqli documentation
> - Create a general "The MySQL situation" document that explains the situation
I also want to point to http://forge.mysql.com/wiki/Converting_to_MySQLi
wich has a script once developed by Ulf and others to automatically
convert code from using ext/mysql to mysqli. I haven't tried it with
recent versions of PHP but should still work.
> The PHP community has been recommending alternatives for several years
> now, so hopefully this won't be a new concept or shock to most users.
:-)
johannes
[1] The LIKE case goes something like that:
<?php
$query = $pdo->prepare("SELECT id FROM table LIMT ?, ?");
$query->bindValue(1, $_GET["offset"]);
$query->bindValue(2, $_GET["limit"]);
$query->execute();
?>
So there's some pagination of a result set and the user can browse
through the result, looks quite ok, but the result is not a successful
query but an error
1064 you have an error in oyur SQL sytax; check the manual that
corresponds to your MySQK server version for the right syntax to
use near ''1', '2''
Which is caused by PDO using PS emulation by default with MySQL (see
thread "Change Request: Make PDO default to not emulate prepared
statements for MySQL" from April/May 2011 on this list) and $_GET
containing strings while the parser is not context-aware. Of course this
can easily be fixed by explicitly binding using PDO::PARAM_INT.
--
Johannes Schlüter, ORACLE
MySQL Engineering - Connectors And Client Connectivity
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
