On Wed, Nov 21, 2012 at 10:56 AM, Kris Craig <kris.cr...@gmail.com> wrote: > On Wed, Nov 21, 2012 at 7:43 AM, Thomas Hruska <thru...@cubiclesoft.com>wrote: >> On 11/12/2012 9:22 AM, Derick Rethans wrote: >> Why deprecate? Just because you like PDO doesn't mean everyone else will >> like it. Just because mysql_query() tends to create security >> vulnerabilities in the hands of the uneducated who have the tendency to >> string concatenate SQL queries together in an unsafe fashion, doesn't mean >> users won't write insecure code with PDO. Users are lazy - binding each >> field separately is going to drive some to resort to string concatenation, >> which will result in a situation nearly identical to what you have already. >> In the hands of someone who knows what they are doing, ext/mysql is the >> same as, if not better than, mysqli and PDO. > PHP is not etched in stone. It is an ever-evolving, ever-improving > language. I'm not sure I understand the reasoning behind your "ext/mysql > is the same as, if not better than, mysqli and PDO" remark.
"In the hands of someone who knows what they are doing, ext/mysql is the same as, if not better than, mysqli and PDO." ...is the sentence in question. Note the qualifier. > The ext/mysql > extension does not support prepared statements; mysqli and PDO do If you know what your're doing, prepared statement workflows are just wasteful code bloat with absolutely no tangible benefits. Again, note the qualifier. > There is simply no rational reason for continuing to use ext/mysql over > mysqli and PDO. Not editing millions of lines of stable, and secure, code is a rational reason. > It does present significant security vulnerabilities. <sarcasm> Well, C has had tons of insecurities over the years, maybe we should migrate PHP to be written in, oh, Ruby or something new and shiny like that, because newer languages make shooting yourself in the foot harder, and "new" somehow means "secure". </sarcasm> If there are actual security vulnerabilities in ext/mysql, by all means, that's a good reason for rapid deprecation, but if there are security vulnerabilities because people who *didn't know what they were doing*.created them, that's a battle that cannot be won. -Ronabop -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
