On Wed, Nov 21, 2012 at 7:43 AM, Thomas Hruska <thru...@cubiclesoft.com>wrote:
> On 11/12/2012 9:22 AM, Derick Rethans wrote: > >> On Mon, 12 Nov 2012, Adam Harvey wrote: >> >> I've written an RFC to cover deprecating ext/mysql in PHP 5.5: >>> https://wiki.php.net/rfc/**mysql_deprecation<https://wiki.php.net/rfc/mysql_deprecation>. >>> While we handled the soft >>> deprecation in the documentation purely via a straw poll on Internals, >>> I presume this will end up needing to go to a vote, hence the RFC. >>> >>> I won't rehash the background overly (there's some more detail in the >>> RFC), other than to note that we've now had deprecation notices on all >>> mysql_* functions in the manual for about six months and that the >>> logical next step is to start generating E_DEPRECATED notices when >>> users connect via mysql_connect(), mysql_pconnect() or the implicit >>> ext/mysql connection routines. It's my belief that doing so will >>> hasten the move of users to the more modern (and supported) APIs >>> available: mysqli and PDO, and that this process will also likely >>> encourage some users to switch to safer patterns such as prepared >>> queries at the same time. >>> >>> >> IMO, there doesn't need to be a discussion on *how* to deprecate >> ext/mysql. We have E_DEPRECATED for that, just like you write in your >> RFC. The only question is "do we want >> to deprecate it?". On that one: +1 >> >> cheers, >> Derick >> > > -1 > > Why deprecate? Just because you like PDO doesn't mean everyone else will > like it. Just because mysql_query() tends to create security > vulnerabilities in the hands of the uneducated who have the tendency to > string concatenate SQL queries together in an unsafe fashion, doesn't mean > users won't write insecure code with PDO. Users are lazy - binding each > field separately is going to drive some to resort to string concatenation, > which will result in a situation nearly identical to what you have already. > In the hands of someone who knows what they are doing, ext/mysql is the > same as, if not better than, mysqli and PDO. > PHP is not etched in stone. It is an ever-evolving, ever-improving language. I'm not sure I understand the reasoning behind your "ext/mysql is the same as, if not better than, mysqli and PDO" remark. The ext/mysql extension does not support prepared statements; mysqli and PDO do. The ext/mysql extension doesn't support a lot of things that mysqli and PDO do, in fact. Conversely, I'm not aware of anything that ext/mysql can do that mysqli and PDO cannot. The only thing it's good for now is if you're running an ancient MySQL server <4.1; in which case, chances are you're not going to be running the latest PHP version, anyway. There is simply no rational reason for continuing to use ext/mysql over mysqli and PDO. It does present significant security vulnerabilities. It doesn't take advantage of the latest features and improvements in MySQL. This isn't about what we "like." This is about what works best and what doesn't. The ext/mysql extension is simply obsolete. People only keep using it because they don't know any better. Throwing E_DEPRECATED in 5.5 will help rectify that. If you're upgrading to PHP 6 in the future, you should already be aware that there will be significant changes present, so the removal of ext/mysql should not be an issue. Some things become obsolete with time. It's just a fact of life. If you can't bring yourself to update your code to remove calls to something that has arguably been obsolete for the last 5+ years now, then don't upgrade PHP. If you want everything to stay the same, then stick with whatever older version you think is perfect. Otherwise, if you choose to upgrade, you have to understand that some things inevitably have to change in the name of progress. --Kris
