Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64030
Return-Path: <ronabop@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86403 invoked from network); 21 Nov 2012 19:42:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Nov 2012 19:42:26 -0000
Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.42 as permitted sender)
X-PHP-List-Original-Sender: ronabop@gmail.com
X-Host-Fingerprint: 209.85.220.42 mail-pa0-f42.google.com  
Received: from [209.85.220.42] ([209.85.220.42:64300] helo=mail-pa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 89/AE-20662-1AE2DA05 for <internals@lists.php.net>; Wed, 21 Nov 2012 14:42:26 -0500
Received: by mail-pa0-f42.google.com with SMTP id rl6so1189409pac.29
        for <internals@lists.php.net>; Wed, 21 Nov 2012 11:42:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Onh6TGIeuHnH+n77eH6XHeUKuPsifZfgNiUYoTD8Ke0=;
        b=CRtD0A2R6ZSX1MvGu3Eo/nKXBqtp7IsSYv5EflXH8IWn4DAUTedia9UngPAK7+RPWn
         msMe7Vq3FpwzZIPvjRBnbtkhUlSIxBiV8G7eFUmAtjG5VbWfQVT6ZBiM/aKxElzgkN3Q
         QwNY+szxerZ0ZvCOxdHssvs9aJgp3cOYJIDwkASr+UnP/pXtM6tGTc9yOC78X4wP46L0
         H+Dr60v0KCzV72CQPDHWkTB2GbJku5cwPszUi/pbyb51V8pT6Q6k8osX/0HJ+4Z6HiEl
         5gBk39hIO2jZbziuX+5Nui3cMbDQyTCIiPkfDsuLLbtvuANmQ78jwpstdzPmZwHkftaz
         b3wg==
MIME-Version: 1.0
Received: by 10.66.87.33 with SMTP id u1mr1681706paz.73.1353526941566; Wed, 21
 Nov 2012 11:42:21 -0800 (PST)
Received: by 10.66.251.233 with HTTP; Wed, 21 Nov 2012 11:42:21 -0800 (PST)
In-Reply-To: <CAKOpQSwkiRhPn5=UJ+NC_beyyEA4Q5aQEx3yQWMqPB+2adGgag@mail.gmail.com>
References: <CADajX4CYZdNpgQv46m_6J7tQLBc=h6HxCn-bGpxr3Ou2VaqgBg@mail.gmail.com>
	<alpine.DEB.2.02.1211121620380.23571@whisky.home.derickrethans.nl>
	<50ACF6BF.4060502@cubiclesoft.com>
	<CAKOpQSwkiRhPn5=UJ+NC_beyyEA4Q5aQEx3yQWMqPB+2adGgag@mail.gmail.com>
Date: Wed, 21 Nov 2012 11:42:21 -0800
Message-ID: <CAFWS2+ELpS=oyn0WSsghL5p+=ee4PDm=c2DQJPx77hCozYiLaQ@mail.gmail.com>
To: Kris Craig <kris.craig@gmail.com>
Cc: Thomas Hruska <thruska@cubiclesoft.com>, PHP Development <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] RFC: ext/mysql deprecation
From: ronabop@gmail.com (Ronald Chmara)

On Wed, Nov 21, 2012 at 10:56 AM, Kris Craig <kris.craig@gmail.com> wrote:
> On Wed, Nov 21, 2012 at 7:43 AM, Thomas Hruska <thruska@cubiclesoft.com>wrote:
>> On 11/12/2012 9:22 AM, Derick Rethans wrote:
>> Why deprecate?  Just because you like PDO doesn't mean everyone else will
>> like it.  Just because mysql_query() tends to create security
>> vulnerabilities in the hands of the uneducated who have the tendency to
>> string concatenate SQL queries together in an unsafe fashion, doesn't mean
>> users won't write insecure code with PDO.  Users are lazy - binding each
>> field separately is going to drive some to resort to string concatenation,
>> which will result in a situation nearly identical to what you have already.
>>  In the hands of someone who knows what they are doing, ext/mysql is the
>> same as, if not better than, mysqli and PDO.
> PHP is not etched in stone.  It is an ever-evolving, ever-improving
> language.  I'm not sure I understand the reasoning behind your "ext/mysql
> is the same as, if not better than, mysqli and PDO" remark.

"In the hands of someone who knows what they are doing, ext/mysql is
the same as, if not better than, mysqli and PDO."
...is the sentence in question. Note the qualifier.

> The ext/mysql
> extension does not support prepared statements; mysqli and PDO do

If you know what your're doing, prepared statement workflows are just
wasteful code bloat with absolutely no  tangible benefits.
Again, note the qualifier.

> There is simply no rational reason for continuing to use ext/mysql over
> mysqli and PDO.

Not editing millions of lines of stable, and secure, code is a rational reason.

>  It does present significant security vulnerabilities.

<sarcasm>
Well, C has had tons of insecurities over the years, maybe we should
migrate PHP to be written in, oh, Ruby or something new and shiny like
that, because newer languages make shooting yourself in the foot
harder, and "new" somehow means "secure".
</sarcasm>

If there are actual security vulnerabilities in ext/mysql, by all
means, that's a good reason for rapid deprecation, but if there are
security vulnerabilities because people who *didn't know what they
were doing*.created them, that's a battle that cannot be won.

-Ronabop