CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • 5.0 Saloon »
  • mysqli, PDO, mysql
Pages: [1]

Author Topic: mysqli, PDO, mysql  (Read 1028 times)

JoeMurray

  • Administrator
  • Ask me questions
  • *****
  • Posts: 578
  • Karma: 24
    • JMA Consulting
  • CiviCRM version: 4.4 and 4.5 (as of Nov 2014)
  • CMS version: Drupal, WordPress, Joomla
  • MySQL version: MySQL 5.5, 5.6, MariaDB 10.0 (as of Nov 2014)
mysqli, PDO, mysql
March 10, 2015, 09:25:20 am
Currently, CiviCRM ships with mysql connection (https://github.com/civicrm/civicrm-core/blob/master/templates/CRM/common/civicrm.settings.php.template), which is deprecated as of PHP 5.5 and not recommended for new projects (http://php.net/manual/en/mysqlinfo.api.choosing.php).

I think we should move to mysqli since it is backwards compatible with mysql for procedural calls. It would be nice to consider PDO, but would require too much more code cleanup to do easily IMHO.

Here's a tool which helps to convert from mysql to mysqli: https://github.com/philip/MySQLConverterTool

When we do this we should make sure to put in controls on the ability of multiple statements to run. For a similar point about Drupal and PDO how limiting MySQL to single statements is a way to lessen impacts of certains types of exploits, see https://www.drupal.org/node/2388255.
« Last Edit: March 10, 2015, 09:29:08 am by JoeMurray »
Co-author of Using CiviCRM https://www.packtpub.com/using-civicrm/book

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: mysqli, PDO, mysql
March 10, 2015, 04:52:19 pm
I really like that behavior of mysql/mysqli where it doesn't allow multiple statements. With basically every SQL injection bug I've seen in Civi, this has been a godsend; instead of SQL injections which are "easily-exploited holes which massively compromise confidentiality+integrity" we generally get SQL injections which are "difficult-to-exploit holes which can indirectly compromise confidentiality".

What do you think of the idea of merging Doctrine into master as soon as 4.6.0 goes out? The idea was raised in previous discussion with GR. The idea is to bring Doctrine into mainline so that we can acclimate to it gradually (adjust our workflows, use Doctrine for schema management and testing, maybe do a couple experimental components) but perhaps keep it disabled in production in the immediate future.

JoeMurray

  • Administrator
  • Ask me questions
  • *****
  • Posts: 578
  • Karma: 24
    • JMA Consulting
  • CiviCRM version: 4.4 and 4.5 (as of Nov 2014)
  • CMS version: Drupal, WordPress, Joomla
  • MySQL version: MySQL 5.5, 5.6, MariaDB 10.0 (as of Nov 2014)
Re: mysqli, PDO, mysql
March 11, 2015, 07:37:52 am
This is another good step in updating our technical infrastructure, and I think we are ready for it. I'm a little less clear on the issues associated with enabling in production, but like the idea of doing one thing at a time and getting more experience of it in core before it is part of the general install procedures.
Co-author of Using CiviCRM https://www.packtpub.com/using-civicrm/book
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • 5.0 Saloon »
  • mysqli, PDO, mysql

This forum was archived on 2017-11-26.