I have been looking for a very light weight PHP ORM library and I ran across a few good choices. Unfortunately, most choices require some form of
configuration, e.g. adding more fields to the class and many of them
are not so intuitive.
I do not want to use a framework, but prefer just the ORM for Q&D
prototypes.
Anyway, I started building my own PHP ORM library called SORM (Simple ORM). It is very much in alpha state. You can checkout the code and examples at
https://github.com/teraom/sorm
I would appreciate if you can provide some feedback or directions on
how to proceed, things to change etc.
I am interested in using mysqli for database queries, specifically for prepared
statements, so as to avoid SQL injection.
Is there a way to use prepared statements with regular PHP - SQL
functions? Or prevent SQL injection by other means?
http://us2.php.net/manual/en/ref.mysql.php
Is mysqli installed by default when you install PHP? (PHP 5.2 and
above)
I know very little about PDO. Is PDO installed by default in PHP 5.2 and above? Does PDO come into picture too?
Thanks,
Bharad
Is there a way to use prepared statements with regular PHP - SQL functions?
Only when supported by the regular functions. The decrepit "mysql" extension does not provide this functionality. Some others do, like the one for PostgreSQL.
Is mysqli installed by default when you install PHP? (PHP 5.2 and above)
This is not answerable, as it depends on how PHP was compiled (if it's a custom installation), or whether it was installed via a package manager. If it was installed through a package manager, then it's very likely that all database support might be in an optional add-on package. However, if mysql support in general is enabled, the "mysqli" extension should be available.
Is PDO installed by default in PHP 5.2 and above?
Same answer as before -- it depends on how PHP was installed. It's enabled by default when compiling, but it might not be available depending on package management.
In general, you can rely on PDO being available most of the time. When it's not, it's either going to be oversight on behalf of the sysadmin, or an intentional decision to disable it by an idiot manager.
A lot of modern PHP is built assuming PDO will be there. There's not too much harm in making adapters for both PDO and mysqli, as both have generally similar feature sets. Just watch out for the weird, weird way that bind_param works -- it expects one call with all of the things to bind, by reference. This tends to turn people off.
Another option: Instead of building on top of PDO directly, build on top of another wrapper. I don't want to get all Inception on you, but take a peek at Zend_Db. Yes, I know you don't want to use a framework, but take a look at it anyway. It has adapters for the various PDO flavors, mysqli, Oracle, and DB2. It's also quite comprehensive, and the query builder (Zend_Db_Select) is pretty handy.
There are lots of other options in this area, like good old PEAR MDB2, which uses emulation to fake prepared statements and placeholders.
Related
hello I have an assignment that asking me to give at least one disadvantage of using php's MySQLi library over php's MySQL .. I don't see any .. can any one give me some disadvantage because I can never find one
MySQLi has this feature called prepared statements which is nothing but a safer way of sending data to MySQL and protecting yourself from getting hacked using SQL injection. This is the foremost reason why one should always prefer MySQLi over MySQL.
MySQLi extension has been specifically developed to take advantage of the new features available in MySQL Server version 4.1.3 and above. So the thing is if you still use the MySQL extension then you might not be able to take full advantage of the new MySQL server features.
MySQLi is object orientated and a lot has already been talked about how useful Object Oriented programming is.
MySQLi supports multiple Statements, Complex Transaction statements and has enhanced debugging capabilities and embedded server support.
This question already has answers here:
mysqli or PDO - what are the pros and cons? [closed]
(13 answers)
Closed 1 year ago.
Just writing a PHP website and using mySqli for my database connectivity. Really enjoying it as I can use Prepare statements and then do a $result = $stmt->get_result(); which loads results into an associated array. However, thought it best be time to upload a few pages and the DB to hosting site to test speed and such to find that it does not support the $stmt->get_result(); command, having it needing to use the mysqlnd driver which my host does not support.
Looking into this nor does many host providers either. Now when I started the website I looked back at some of my old PHP code and apparently the normal mySql code that I used to use has become obsolete and was told on the internet to use mySQLi instead only to find that support for this is dropping to?! so it would see, so what is the best mySql connectivity to use?
I would not use any old mysql connectors at all. They are deprecated due to huge gaping security holes. As for whether you want to use prepared statements using mysqli or PDO, that is a matter of choice; they both are pretty secure. mysqli is good as long as you use prepared statements and don't rely on escaping your variables (which is a huge pain and easy to make a mistake, so therefore not as secure).
The advantages of using PDO is that is easier to move between different database types (e.g. if you want to work with Oracle or SQL Server or PostreSQL) it is easier to make the transition, and it is far more powerful if you like to work with classes. On this site you will generally find more people who prefer PDO.
Also as for support for mysqlnd? See below documentation from the official site:
PHP 5.4 has mysqlnd as default
As of PHP 5.4, the mysqlnd library is a php.net compile time default
to all PHP MySQL extensions. Also, the php.net Windows team is using
mysqlnd for the official PHP Windows distribution since mysqlnd became
available in PHP 5.3
In other words, those web host providers are behind the times. You might want to look for a better one.
Vague question, but considering the the heading, mysqli and PDO are same thing (almost same).
PDO is platform independent but mysqli is only for mysql database engine. if you are not going to make corporate level applications like some SaaS app then I suggest use mysqli.
If your app is always gonna be php & mysql, then why bother using PDO? There is not much benefit in using it.
I disagree with nomistic that mysqli is not as secure.
Both PDO and mysqli can have non prepared queries. Both are equally secure.
PDO have one benefit I like, Named Parameter in prepared statements. So PDO is 1 step ahead.
Yo may like this post:
pdo-vs-mysqli-which-should-you-use
Recently the PHP manual started showing the following warning on every mysql function page:
Use of this extension is discouraged. Instead, the MySQLi or
PDO_MySQL extension should be used. See also MySQL: choosing an API
guide and related FAQ for more information...
MySQLi used to be very buggy, but have they improved it so that it's finally worthy of its name? Is that why they're abandoning the MySQL extension and trying to get people to use MySQLi?
Actually, I would like to use MySQLi if it's not buggy anymore. It has more features and it's object oriented.
Any comments on this?
//EDIT: What I want to know is if it's OK to use MySQLi. Or is it still buggy? Should I go with PDO instead?
Yes. Since (very) long. We now have mysqli, or better yet, PDO.
I wouldn't lock myself into mysqli, I'd prefer PDO. Beside the easier migration it offers from one database system to another, it also offers better error handling.
What I want to know is if it's OK to use MySQLi. Or is it still buggy?
MySQLi itself is quite bug-free and it's used in production.
Should I go with PDO instead?
If your only argument for using mysqli is its similarity to mysql, then you'd probably not use mysqli to its full potential anyway. If you want to use mysqli to its full potential, then you'd have to start learning "anew" (it's not terribly much to learn, you know). If you start learning some new tool from "scratch", then why not learn the better alternative - PDO, in the first place?
On the other side, PDO is not perfect either. With PDO, you cannot access MySQL specific APIs (such as post-construct set_charset, infile settings, async queries, OUT params from prepared statements). Also, you should set it to do true prepared statements if you need them.
The PHP MySQLi is an MySQL Improved Extension.
The mysqli extension allows you to access the functionality provided by MySQL 4.1 and above.
You can compare both of them at The MySQLi Extension Function Summary.
If you are searching for a future proof solution, object oriented, the way to go is PHP PDO.
The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver that implements the PDO interface can expose database-specific features as regular extension functions.
...
PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data.
Yes you can go with MySQLi and what you write is true, the API allows an easy change from the MySQL API.
For new projects it's recommended to not use ext/mysql any longer, but to use ext/mysqli or PDO_MySQL.
As you have not written what was buggy for you back in 2009, it's hard to say if these bugs are gone. I would assume so, but, well, check for yourself.
You might want to also use ext/mysqli with the MySQL native driver instead of the MySQL client server library (libmysql).
It was about time. The mysql API, though easy to use, suffers from many problems. Arguably the worst problem is the complete lack of support for prepared statements, which forces you to piece together bits of SQL through string operations. This is not only slow but also a major source of SQL injection vulnerabilities.
One of the advantages of PDO over MySQLi is that you'll find that you don't have to learn a new API when you decide to use a different DBMS in a future project.
There is a tutorial I'd like to follow which has some great reviews. The only problem being it makes use of MySQLi instead of MySQL. I only have access to MySQL.
Are there big enough differences to warrant looking for a straight PHP-MySQL tutorial or is it worth just going with this one and making changes myself?
I would say I am a 'beginner' with both PHP and MySQL, but can find my way around the code fine, apply CRUD etc so not completely new.
MySQLi is PHP's "improved" MySQL driver. Meaning it will take full advantage of MySQL servers version higher than 4.1.3.
Then underlaying MySQL server would be the same, using the old MySQL interface or the newer MySQLi, so everthing should remain valid if you are following a MySQL tutorial on a MySQLi interface.
In your case, you should pay attention to MySQLi only stuff since they won't be avaliable to you.
Quote from the official website:
What is PHP's mysqli Extension?
The mysqli extension, or as it is
sometimes known, the MySQL improved
extension, was developed to take
advantage of new features found in
MySQL systems versions 4.1.3 and
newer. The mysqli extension is
included with PHP versions 5 and
later.
The mysqli extension has a number of
benefits, the key enhancements over
the mysql extension being:
Object-oriented interface
Support for Prepared Statements
Support for Multiple Statements
Support for Transactions
Enhanced debugging capabilities
Embedded server support
It shouldn't be too hard to make the necessary adjustments. If you look at PHP's MySQL functions vs the MySQLi functions functions the main difference is that MySQLi is an object-oriented interface. Converting back to the regular MySQL functions is usually quite easy, for example: $rs->affected_rows becomes mysql_affected_rows($rs).
As #hexa pointed out, there are a couple things in MySQLi that the old interface doesn't support, such as prepared queries. If the tutorial involves those, it's not that hard to convert them to regular queries, it's just a bit of a hassle.
Both seem to try making it simpler using a database in PHP. Both seem to provide an abstraction over different database types like MySQL, SQLite, etc.
What are the differences between both ADOdb and PDO?
PDO is standard in PHP as of version 5.1. (It is also available with a PECL extension in PHP 5.0) Most hosting provides will have it enabled. AdoDB is not a standard extension.
Also, I believe the PDO drivers are "PHP-native": they are built on top of the same libraries that PHP itself was built on, and use the same underlying routines for things like memory management. So potentially, PDO is more lightweight than AdoDB.
According to this benchmark, AdoDB is considerably slower than PDO: (fixed link)
https://gist.github.com/tony-landis/31483
Of course, you should consider whether this is important enough for your use case to prefer PDO or not.
From a technical perspecitve, the most notable difference would be that PDO is a native extension and, from PHP 5 on, always included in PHP in its fast, compiled form. There is an extension for ADODb as well but you have to install it in PHP first. This is a strong argument in favour of PDO because products based on it are likely to run faster in more environments.
ADOdb supports a larger number of databases than PDO.
Well, I think it boils down to preference. ADOdb is more geared towards people who are used to the Microsoft style of Database access (ADO) and PDO is more "PHP" like and also part of the mainstream of PHP versus ADOdb which sort of sits off to the side.
At the end of the day, it would based on what your target DB is (ADOdb supports more) and what sort of language style your prefer. Personally, I like PDO and it suits my needs.
PDO is native and pretty fast.
ADOdb is a richer library and even has things like ORM (Object Relational Mapping).
For me the big downside of PDO is it's horrible to debug when it goes wrong as there's no PHP source for it. When I was debugging some complicated code the only way I could see the exact SQL that was being executed was the subclass the PDO driver itself...
It's all opinion though of course!