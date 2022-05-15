mysqli_ also has prepared statements and so it’s of course possible to make it as secure as PDO. But at the end you have to change every query using prepared statements and that is not less work then directly using PDO.
So yes you can, but it is the same work. You cannot just replace a mysql_xxx with a mysqli_xxx and it is save.
You can do prepared statements with mysqli, though it’s not as straightforward as with PDO.
Though I would strongly advise to skip mysqli and continue to go straight across to PDO.
Once you get to know it, PDO is so much nicer to work with. It is simpler but more powerful.
Going form mysql to mysqli is not just a case of adding an i to your functions.
I know a lot of people leaving mysql, opt for mysqli thinking it will be an easier transition and are put off by the prospect of OPP (I actually did the same way back), but learning to use PDO (even before I learned OOP) I never looked back.
And since you say there are already parts that use PDO, it would be best to have the consistency of PDO across the board.
Since you must go through all the database specific code at least once, even for the mysqli extension (the parameter order is different and it requires the connection parameter), you might as well future-proof it and update it to use the PDO extension.
You can use prepared queries with the mysqli extension, but here’s the problem, non-prepared and prepared query statements use a totally different programming api, which means you are dealing with almost two different database extensions.
Another thing that often affects old code is that it mixed the database specific code in with the presentation code. Since you have to go through the code updating the database specific code, this would be a good time to separate these two concerns. The way to do this is to simply move the database specific code to be above the start of the html document, fetch all the data from any query into an appropriately named variable, then test/use this variable at the correct location in the html document.
Converting old code to use the PDO extension, and using a prepared query, can be simple and straightforward. Perhaps post a few examples of what you are doing for someone to see if you are using the simplest method.
That’s not the primary reason for everyone recommending the PDO extension. It is simple, consistent, well designed, and using a prepared query provides sql injection protection for all data types.