Deprecated MySQL extension in PHP 5.5.x

Question

According to the PHP manual, and a lot of sources on the internet as of PHP 5.5.x the whole original MySQL extension is deprecated. I have a really robust web application th

Answer 1

Is my application ever going to become inaccessible on the internet if I leave everything with the deprecated mysql_* extension?

Your application will only break if and when the server it is running on is upgraded to a PHP version that doesn't support the old API. If your server doesn't get upgraded to PHP 5.5, then your app will continue running as is indefinitely. Nothing else on the outside internet will affect it in that respect; only upgrades to your own server are relevant.

For the time being, php 5.4 is still actively supported, so you can happily stay on that version without needing to worry about your code suddenly breaking.

However, at some point in the future, for one reason or another, you will need to upgrade to PHP 5.5 or higher. PHP 5.4 will become end-of-life, and a move to 5.5 will be recommended. Or if you're using a shared hosting account, you may not even have any choice over your PHP version. So yes, you should expect for your current code not to work with the PHP version you're using at the time. Eventually.

So while there's no immediate urgency to make the switch, you should consider doing so as soon as possible. One thing you don't want is for the day to come when things break, and find yourself caught out.

5.5 has only just been released, so you probably have a few years before it becomes the lowest version available, but take my advice; you don't want to wait till the last moment.

Should I take some time and change all the mysql_* calls and switch them with mysqli_* calls.

You stated that your app is "really robust" and "will probably not be enhanced". So it's basically in a long-term maintenance-only phase.

Given those criteria, I would say that yes, making a simple switch to the mysqli lib is a sensible move. The changes required are fairly trivial (it sounds like you've got a handle on what to do already), and should have virtually no impact whatsoever on the rest of the software.

If your code is truly robust and well-written, you'll have it structured in such that there is a database layer of some sort, which will mean that you don't have much to do anyway.

If it's not so well structured, it might have a lot of mysql_query() calls scattered around the code, in which case it might take a bit more work. In this case, since you're working on the code anyway, you might consider taking the time to do a bit of restructuring. Create a database layer. Maybe start using prepared statements. I'd also recommend switching to PDO rather than mysqli. But your call -- given what you said in the question, it would be understandable if you wanted to do the minimum amount of work possible.

By the way - If you haven't done so already, you might also want to read this: Why shouldn't I use mysql_* functions in PHP?

Answer 2

Yes, the application will be inaccessible whenever your webhost upgrades to the PHP version where the extension is removed. Note that this wont happen in PHP 5.5 where extension is "only" flagged as deprecated. Exactly when the extension will be removed is afaik unknown atm.

Regarding the upgrade question: It really depends, do you expect your application to out-live mysql_*? Does your web host update PHP frequently? If they are slow with updates you might be able to run the application for years.

Performance/security-wise it would be preferable to change to prepared statements.

Answer 3

Yes, you should bother to update your code to work with mysqli or PDO.

The reason lays not only in mysql_* to be inaccessible in future versions of PHP. But also in your security.

mysql_* doesn't support prepared statements/parameterized statements that cover sql protection. You can use mysql_real_escape_string(), but even that is not flawless when dealing with MultiByte characters.

See also: https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l and https://stackoverflow.com/a/12118602/1209443

Answer 4

Should I take some time and change all the mysql_* calls and switch them with mysqli_* calls.

No, No and No.

• If you want to make your application better, make yourself familiar with some sort of ORM or query builder or at least DAL like PDO or safeMysql.
• If you want to have your application just keep going - just keep it as is. You aren't have 5.5 on your servers yet, are you? When you get it, you'll be able to turn deprecated-level notices off. Is not the best approach but cheap and usable.

While changing mysql to mysqli calls mechanically will do no good.

Is my application ever going to become inaccessible on the internet if I leave everything with the deprecated mysql_* extension?

Can't actually get what you are asking here, but I'd say that you have at least 5 years ahead.

Answer 5

The question you should be asking yourself is

"How long before I am forced to move to a version of PHP that no longer supports mysql_*?"

If you never upgrade your PHP you do not need to change the code at all. ( Please dont shout at me yet guys )

However some time in the furture you are going to have to move to a newer verion of PHP

You ISP or your network admin is going to insist that the version of PHP you are stuck on is to old and insecure to have on the network.

So the honest answer is, you dont have to do it by Friday, but when that admin insists on removing your version of PHP you will have to do it sometime. So when you have the time DO IT.