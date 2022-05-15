OhMonty: OhMonty: tons of mysql_* queries

Since you must go through all the database specific code at least once, even for the mysqli extension (the parameter order is different and it requires the connection parameter), you might as well future-proof it and update it to use the PDO extension.

You can use prepared queries with the mysqli extension, but here’s the problem, non-prepared and prepared query statements use a totally different programming api, which means you are dealing with almost two different database extensions.

Another thing that often affects old code is that it mixed the database specific code in with the presentation code. Since you have to go through the code updating the database specific code, this would be a good time to separate these two concerns. The way to do this is to simply move the database specific code to be above the start of the html document, fetch all the data from any query into an appropriately named variable, then test/use this variable at the correct location in the html document.

Converting old code to use the PDO extension, and using a prepared query, can be simple and straightforward. Perhaps post a few examples of what you are doing for someone to see if you are using the simplest method.

OhMonty: OhMonty: I don’t need to be able to support all kinds of databases, this code isn’t portable and will be used in a controlled environment.

That’s not the primary reason for everyone recommending the PDO extension. It is simple, consistent, well designed, and using a prepared query provides sql injection protection for all data types.