Migrating from PHP 7 to PHP 8 and PDO

Well, I have decided to listen to you all and take the plunge, so I am going to start working with PHP 8 and using the PDO interface. I am also going to attempt switching my scripts from procedural to OO.

It’s quite scary for me and I know it is going to take a while so if anybody has any tips, advice, warnings or just comments I will be happy to recieve them.

And if it all goes wrong - it is your fault ! :laughing:

While it is a ‘plunge’, take it simple steps at a time.

First, establish the PDO object (the database connection).
Then update your queries as necessary. Usually, this is as simple as replacing mysqli_query with $pdo->query
From there, if you havent already, you’re going to want to start looking at prepared statements, as they’re infinitely more preferable to putting variables into queries.

The live paid for server I use doesn’t yet support PHP8 (as far as I can see). Does yours? I wonder how many do at the moment?

Which server is that? Mine has since PHP8 was released.

UK Web Solutions Direct Ltd

I am with Hostpresto which do provide PHP 8 with the added advantage that you can select PHP version by domain. I have not yet tried it but I do have XAMPP with PHP 8 for windows 10 installed so I will begin my testing there

That’s exactly the kind of helpful step by step advice I need - thanks.

OK so this is my first attempt at creating a connection. I want to display a success message as well as a fail message but not display the actual error for security reasons (as advised on this site) so I have commented out the line that displays the exception. I do not close the connection here as it is a file to be ‘required once’ by other scripts. I also appreciate that my connection values - username, password, database name etc are weak but this is not live yet and just for testing.

<?php
$servername = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "the_database";

try {
  $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
  // set the PDO error mode to exception
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  if ($pdo) {
		echo "Connected to the database successfully!";
	}
} catch(PDOException $e) {
	//echo "Connection failed: " . $e->getMessage();
	echo 'Connection failed!<br>';
}
?>

This seems to work OK but as this is all new to me (including ‘try’ and ‘catch’) I want to be sure I am on the right path and not building in security issues for later down the line.

Thanks in advance

Others may have better insight; The only security ‘issue’ i would say is don’t store your database stuff in variables.
If later in your code, or including a file that loads your database connection, i can echo out $password …
(This is a rare attack vector that requires access to your file structure, but it’s happened.)

Compare:

<?php
$servername = "localhost";
$username = "db_user";
$password = "db_pass";
$dbname = "the_database";

try {
  $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

vs

try {
  $pdo = new PDO("mysql:host=localhost;dbname=the_database", "db_user", "db_pass");

Because I never store the password or username, the only thing that can access the password is the $pdo object, and you can’t extract it from the $pdo variable.

How does someone exploit this?

I’ve done this once. Piece of third party software, encrypted code. I can’t read it. But; I can include it.

<?php
include_once("hiddencode.php");
print_r(get_defined_vars());
?>

Suddenly I know what variables they left laying around in the variable table…