Translate: 
EnglishFrenchGermanItalianPolishPortugueseRussianSpanish

The Plot to Kill PHP MySQL Extension

Today I received a mass email from phpclasses.org. This was an information about a new entry on a blog led by Manuel Lemos, the creator of the phpclasses.org site.

In this entry he informs us that the PHP core developers are planning to kill the PHP original MySQL extension.

Here is a quote:

The idea is to first mark its functions as deprecated in the PHP documentation. The intention is to educate PHP developers to migrate their code to use the mysqli or the PDO extensions instead, or the mysqlnd, why not?

In future versions, say PHP 5.5 or 5.6 common calls to functions like mysql_pconnect, mysql_query, etc.. will throw ugly E_DEPRECATED notices. And eventually in PHP 6 or later, if it will ever happen, code that uses those functions will be removed from the main PHP distribution permanently.

While these plans didn’t shocked me, as I waited for this moment for years, surprised me, however, the author’s opinion on this subject:

So, is this PHP mysql extension deprecation really necessary. I don’t think so, but that is just my opinion. At most it will avoid the need to maintain the documentation of multiple extensions to access MySQL databases.

So, for the PHP developers that have old code to access MySQL databases this idea will not be beneficial at all. Once the deprecation becomes official, it will start annoying PHP developers that do not want to waste time rewriting code that always worked for many years.

So I am afraid the first PHP version that introduces this deprecation will suffer from the same adoption delay problems as PHP 5.

I unfortunately do not share his opinion. According to me it’s a good move by the creators of PHP.

My opinion

First of all, mysql extension is out-of-date. It does not support many of the new features of the MySQL 5.x+ database:

  1. does not allow to create prepared statements (potential security issue),
  2. does not like i18n (potential SQL sanitization problems),
  3. does not support stored procedures
  4. cannot read multiple-results from one query (returned from stored procedures, etc),
  5. does not offer multiquery functionality (slow batch queries)
  6. etc…

Those were the missing features. But you may say: “so what, don’t fix what isn’t broken”.

Well, the majority of old PHP software which use the old mysql extension has, by design, some potential security holes:

  1. because it probably uses the mysql_escape_string or mysql_real_escape_string selectively…
  2. because of the potential incompatibilities with new versions of MySQL (MySQL 5.x is not 100% compatible with your software so you often stick to the old, buggy 4.1.x and 4.0.13 db’s),
  3. because your software runs smoothly only on the old 5.1, and 5.0 PHP’s (there are some minor incompatibilities with newer versions of PHP, like this: http://www.php.net/manual/en/migration51.references.php, http://www.php.net/manual/en/migration53.deprecated.php, etc)
  4. because your boss does not understand why he should pay you an extra money for fixing something, that works fine, and forbids you toto change anything or test any new versions of MySQL/PHP.

Conclusion

If your software is old, you are forced to test it against any new version of PHP/MySQL every time you update your system software.

If you fail compatibility tests and don’t want to rewrite your db layer, you can always make some simple code changes:

  1. disable the deprecated MySQL extension entirely (so you can implement your own mysql_connect(), mysql_query(), etc functions),
  2. write your own MySQL wrapper in PHP (which uses PDO internally) and include it using the “auto_prepend_file” directive.

As I see it, I think it’s a two days work to make your own MySQL wrapper in pure PHP or up to four days to write it as a PHP extension in C/C++.

From the PHP Core developers point of view:

removing one deprecated library = more secure PHP = less time spent on maintaing legacy code = more time for research & development = better PHP

Manuel mentions the financial problems associated with software updates. He believes that many will not afford financially to make some changes in the old PHP code. In my opinion there is no shortage of money in the IT market.. There are just many CEOs who do not want to spend money on improving something that already works, but this is wrong tactic, just look at Sony’s problems with vulnerabilities in their software.

And what is your opinion on this story?

Leave a Reply