为什么不推荐使用 PHP 的 mysql_ 函数?

2021-12-25 00:00:00 php mysql pdo mysqli

因为我不久前停止使用这些功能,所以在这里玩了一点恶魔的代言人,但这个问题是真实的,可能对很多 SO 用户都很重要.

我们都知道以错误的方式使用 mysql_ 函数可能非常危险,它会使您的网站容易受到攻击等.但正确使用这些函数可以防止 SQL 注入,并且实际上快了一点比新的 PDO 函数.

We all know that using mysql_ functions in the wrong way can be very dangerous, it can leave your website vulnerable, etc. but used correctly these functions can be protected against SQL injection and are actually a fair bit faster than the newer PDO functions.

考虑到所有这些,为什么不推荐使用 mysql_ 函数?

Bearing all this in mind, why have the mysql_ functions been deprecated?

推荐答案

mysql 扩展很古老,从 15 年前发布的 PHP 2.0 开始就已经存在 (!!);这与试图摆脱过去不良做法的现代 PHP 截然不同.mysql 扩展是一个非常原始的、低级的 MySQL 连接器,它缺乏许多方便的特性,因此很难以安全的方式正确应用;因此,这对菜鸟不利.许多开发人员不了解 SQL 注入,而且 mysql API 非常脆弱,即使您知道它也很难阻止它.它充满了全局状态(例如隐式连接传递),这使得编写难以维护的代码变得容易.由于它很旧,在 PHP 核心级别维护可能会非常困难.

The mysql extension is ancient and has been around since PHP 2.0, released 15 years ago (!!); which is a decidedly different beast than the modern PHP which tries to shed the bad practices of its past. The mysql extension is a very raw, low-level connector to MySQL which lacks many convenience features and is thereby hard to apply correctly in a secure fashion; it's therefore bad for noobs. Many developers do not understand SQL injection and the mysql API is fragile enough to make it hard to prevent it, even if you're aware of it. It is full of global state (implicit connection passing for instance), which makes it easy to write code that is hard to maintain. Since it's old, it may be unreasonably hard to maintain at the PHP core level.

mysqli 扩展更新了很多,并修复了上述所有问题.PDO 也是相当新的,也解决了所有这些问题,以及更多.

The mysqli extension is a lot newer and fixes all the above problems. PDO is also rather new and fixes all those problems too, plus more.

由于这些原因* mysql 扩展将在未来某个时候被删除.它在鼎盛时期完成了它的工作,相当糟糕,但它做到了.时间在流逝,最佳实践已经发展,应用程序变得更加复杂并且需要更现代的 API.mysql 即将退休,请继续使用.

Due to these reasons* the mysql extension will be removed sometime in the future. It did its job in its heyday, rather badly, but it did it. Time has moved on, best practices have evolved, applications have gotten more complex and require a more modern API. mysql is being retired, live with it.

考虑到所有这些,除了惯性之外,没有理由继续使用它.

Given all this, there's no reason to keep using it except for inertia.

* 这些是我的常识总结原因;对于整个官方故事,请看这里:https://wiki.php.net/rfc/mysql_deprecation

* These are my common sense summary reasons; for the whole official story, look here: https://wiki.php.net/rfc/mysql_deprecation

从该文档中选择引用如下:

Choice quotes from that document follow:

文档组正在讨论数据库安全情况,并教育用户远离常用的ext/mysql扩展是其中的一部分.

The documentation team is discussing the database security situation, and educating users to move away from the commonly used ext/mysql extension is part of this.

远离 ext/mysql 不仅关乎安全,还关乎可以访问 MySQL 数据库的所有功能.

Moving away from ext/mysql is not only about security but also about having access to all features of the MySQL database.

ext/mysql 很难维护代码.它不是没有新的特征.保持更新以使用新版本的libmysql 或 mysqlnd 版本是有效的,我们可能会花掉它时间更好.

ext/mysql is hard to maintain code. It is not not getting new features. Keeping it up to date for working with new versions of libmysql or mysqlnd versions is work, we probably could spend that time better.

相关文章