I am doing an e-commerce CMS and all my SQL queries are mysql_* functions.
Since they are getting obsolete, I would like to incorporate PDO’s/prepared statement.
From a security perspective, should I only use PDO’s/prepared statement for queries which involve user input?
Can I just use mysql_* functions for queries that don’t have user input in them?
Also, I’ve been googling “PDO vs prepared statement” with no success, to see what the differences are. Is there any difference at all or are they the same thing?
I’ve also been advised to use MySQLi. Can I stick to PDO’s without MySQLi?
Thanks a lot for your suggestions. Regards
Since when? They are not deprecated.
All of mysql ,mysqli and PDO ultimately do the same thing, but in very different ways. Using three different APIs to the same data is not a good idea – use one and learn how to use it effectively. Of course you can become expert in all of them, but don’t mix and match in the same project – other people may want to look at your code.
If you’re working on a medium to large scale project, then define your own abstraction layer – that way it doesn’t matter which you use. (NB despite the hype making an application portable across different DBMS is not as simple as using an abstraction layer).