Very Confused

[downah]

So just seen this http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/ from another topic, and am a bit confused now, I started coding a little while back, but did not get introduced to mysqli until very recently, should I change all my normal mysql queries to the mysqli prepared statements like in the website/tutorial stated? does this mean I won't have to use mysql_real_escape_string and it is more secure in general?

 

Would really like some input, much appreciated.

[WatsonN]

I have the same question, I have always used MySQL but now i'm hearing I should be using MySQLi?

If so, why? What is so much better about this versus the old MySQL? I am simply curious.

 

Thank you

[scootstah]

You don't have to change your queries to prepared statements, but there are benefits from doing so. Of course, there are also downsides -- prepared statements usually require a little more processing time, albeit very little (probably un-noticable).

 

If you use prepared statements, you do not have to escape data. SQL injection is all-together avoided. You do, however, still need to sanitize for things like XSS (if you prefer to store cleansed data rather than cleanse on output).

 

I have the same question, I have always used MySQL but now i'm hearing I should be using MySQLi?

If so, why? What is so much better about this versus the old MySQL? I am simply curious.

 

Thank you

 

The mysqli extension has quite a few benefits. Namely: Optional object-oriented API, prepared statements, it is being actively developed (the mysql extension is maintenance-only).

[downah]

I see so if I start using the mysqli functions I won't have to be sanitize my normal queries at all?, I understand why it is a little bit slower, but that does not really bother me, as the pro side of not having to sanitize the database input, and it being a lot more secure is a massive upside to me, I am just not sure what I am thinking is right.

 

Would you say a experienced developer being up to date would always use mysqli prepared statements instead of normal mysql queries? I am a bit confused as of what I should get used to doing, I was quite happy having gotten the grasp of the mysql functions 

[WatsonN]

@scootstah Thank you very much for explaining that.

 

I was quite happy having gotten the grasp of the mysql functions

I agree, but if mysqli is better I'll be glad to use it. It gives me a reason to make new stuff and play with my old code.

[xyph]

Most up-to-date developers would be using PDO, unless there's some MySQL-specific syntax or optimizations that needed to be performed.

 

If I was writing MySQL-specific queries, I would use MySQLi in it's object oriented form. I tend to not use prepared statements, but they do have merits. If you don't care to sanitize beyond real_escape_string(), then it's great. Personally, I like stricter sanitization that I code myself, and feedback if x data doesn't match y format.

 

Only prepared statements, using placeholders, takes care of sanitization for you. The standard mysqli_query will not.