Ticket #1023 (fixed enhancement)
Drop mysql_ support
- Created: 2015-02-26 09:52:43
- Reported by: chris98
- Assigned to: Franz
- Milestone: 1.6
- Component: database
- Priority: normal
mysql_real_escape_string is proven to allow SQL Injection to stil get through: Why mysql_real_escape_string won't magically solve your SQL Injection problems | Mysql_real_escape_string will provide no protection whatsoever.
Most hosting environemnts which support mysql_ also support mysqli_ so there shouldn't be as much of a big issue as would be thought by removing this.
The MySQL extension is:
* Not under active development
* **Officially [deprecated]** (as of PHP 5.5. Will be removed in PHP 7.)
* Lacks an OO interface
* Doesn't support:
* Non-blocking, asynchronous queries
* **[Prepared statements] or parameterized queries**
* Stored procedures
* Multiple Statements
* All of the functionality in MySQL 5.1
Since it is deprecated, using it makes your code less future proof.
Lack of support for prepared statements is particularly important as they provide a clearer, less error prone method of escaping and quoting external data than manually escaping it with a separate function call.
Some of the mods that work with the mysqli extension don't work with the old mysql extension because it's out dated (for example, some of the poll mods, my reputation system). Because it's not under active development, more exploits could be found and they would not be fixed.
At least I think a warning when installing could be added because even though things are escaped, it is still deprecated and not developed, and people with no experience to PHP may install using that extension, inadvertedly using outdatd functions.
chris98 2015-03-03 18:56:42
- Component changed from database to code.
Franz 2018-07-19 10:38:39
- Component changed from code to database.
- Milestone set to 1.6.