{ "slug": "php4_mysql_extension", "term": "mysql_* Functions — Why They Were Removed", "category": "php", "difficulty": "beginner", "short": "The original mysql_* extension was removed in PHP 7.0 after years of deprecation — it lacked prepared statements, making parameterised queries impossible and SQL injection trivially easy.", "long": "The mysql extension provided functions like mysql_connect(), mysql_query(), mysql_fetch_array(), and mysql_real_escape_string(). It had two critical problems: no prepared statements, and mysql_real_escape_string() could be bypassed in certain character sets. The mysqli extension added prepared statements in PHP 5, and PDO added a clean multi-database API. mysql_* was deprecated in PHP 5.5 and removed in PHP 7.0. Any codebase still using it cannot run on PHP 7+.", "aliases": [ "mysql_query", "mysql_connect", "mysql_fetch_array", "ext/mysql" ], "tags": [ "legacy", "php4", "php5", "deprecated", "sql-injection" ], "misconception": "mysql_real_escape_string() is a safe alternative to prepared statements — character set attacks and certain query constructs can still bypass it.", "why_it_matters": "PHP 5.x end-of-life means any codebase still on mysql_* is running an unsupported PHP version with no security patches — a double vulnerability.", "common_mistakes": [ "Using mysql_real_escape_string() believing it prevents all SQL injection", "Migrating to PHP 7 without replacing mysql_* calls (they will fatal error)", "Copy-pasting mysql_* examples from old Stack Overflow answers" ], "when_to_use": [], "avoid_when": [], "related": [ "sql_injection", "prepared_statement", "pdo", "mysqli" ], "prerequisites": [ "sql_injection", "pdo" ], "refs": [ "https://www.php.net/manual/en/migration70.removed-exts-sapis.php" ], "bad_code": "// mysql_ extension — removed in PHP 7:\n$conn = mysql_connect('localhost', 'root', '');\n$result = mysql_query('SELECT * FROM users');\nwhile ($row = mysql_fetch_array($result)) {\n echo $row['name'];\n}", "good_code": "// PDO — works across MySQL, PostgreSQL, SQLite:\n$pdo = new PDO('mysql:host=localhost;dbname=app', 'user', 'pass');\n$stmt = $pdo->prepare('SELECT * FROM users WHERE active = ?');\n$stmt->execute([1]);\nforeach ($stmt->fetchAll() as $row) {\n echo htmlspecialchars($row['name']);\n}", "quick_fix": "Use Rector's MysqlToMysqliRector rule to mechanically migrate mysql_* to mysqli_*, then convert to PDO prepared statements", "severity": "critical", "effort": "high", "created": "2026-03-22", "updated": "2026-03-23", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/php4_mysql_extension", "html_url": "https://codeclaritylab.com/glossary/php4_mysql_extension", "json_url": "https://codeclaritylab.com/glossary/php4_mysql_extension.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[mysql_* Functions — Why They Were Removed](https://codeclaritylab.com/glossary/php4_mysql_extension) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php4_mysql_extension" } } } }