CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

mysql_* Functions — Why They Were Removed

php PHP 3.0+ Beginner

Also Known As

mysql_query mysql_connect mysql_fetch_array ext/mysql

TL;DR

The original mysql_* extension was removed in PHP 7.0 after years of deprecation — it lacked prepared statements, making parameterised queries impossible and SQL injection trivially easy.

Explanation

The mysql extension provided functions like mysql_connect(), mysql_query(), mysql_fetch_array(), and mysql_real_escape_string(). It had two critical problems: no prepared statements, and mysql_real_escape_string() could be bypassed in certain character sets. The mysqli extension added prepared statements in PHP 5, and PDO added a clean multi-database API. mysql_* was deprecated in PHP 5.5 and removed in PHP 7.0. Any codebase still using it cannot run on PHP 7+.

Common Misconception

mysql_real_escape_string() is a safe alternative to prepared statements — character set attacks and certain query constructs can still bypass it.

Why It Matters

PHP 5.x end-of-life means any codebase still on mysql_* is running an unsupported PHP version with no security patches — a double vulnerability.

Common Mistakes

  • Using mysql_real_escape_string() believing it prevents all SQL injection
  • Migrating to PHP 7 without replacing mysql_* calls (they will fatal error)
  • Copy-pasting mysql_* examples from old Stack Overflow answers

Code Examples

✗ Vulnerable 
// mysql_ extension — removed in PHP 7:
$conn = mysql_connect('localhost', 'root', '');
$result = mysql_query('SELECT * FROM users');
while ($row = mysql_fetch_array($result)) {
    echo $row['name'];
}
✓ Fixed 
// PDO — works across MySQL, PostgreSQL, SQLite:
$pdo = new PDO('mysql:host=localhost;dbname=app', 'user', 'pass');
$stmt = $pdo->prepare('SELECT * FROM users WHERE active = ?');
$stmt->execute([1]);
foreach ($stmt->fetchAll() as $row) {
    echo htmlspecialchars($row['name']);
}
Added 22 Mar 2026
Edited 23 Mar 2026
Views 18

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 2 Google 2 Ahrefs 1
Also referenced
PDO 33 Prepared Statement 30 SQL Injection 29 MySQLi 18
How they use it
crawler 12 crawler_json 1
Related categories
php 6.7k security 4.3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Use Rector's MysqlToMysqliRector rule to mechanically migrate mysql_* to mysqli_*, then convert to PDO prepared statements
📦 Applies To
PHP 3.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
mysql_connect() mysql_query() mysql_fetch_array() mysql_real_escape_string() anywhere in codebase
Auto-detectable: ✓ Yes rector semgrep phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Medium Context: File Tests: Update
CWE-89
✓ schema.org compliant