Explore our sites

Stack Exchange
tour help
up vote -7 down vote favorite
3

Would it be possible to put a small warning on all questions that get tagged with warning against the use of mysql_* functions in their code?

It seems that every single time a PHP/MySQL question is asked, there is an immediate comment warning of the dangers of using mysql_* functions. This seems very redundant and pointless, when we could notify the users upfront.

All-too-common comment on PHP/MySQL questions on StackOverflow

Does anyone have another idea on how to combat the pointlessness of these comments being posted constantly?

share|improve this question
3  
THis would be a good addition to the pro-forma comments system that seems to be in the works (no idea when it'll come though) –  Pëkka Aug 13 '12 at 20:50
13  
Why not for everything that becomes deprecated? Don't put ceilings on your dreams –  random Aug 13 '12 at 20:51
1  
Not sure how sarcastic I should perceive that comment to be... –  David Aug 13 '12 at 20:51
4  
@David If it's your question, not at all, if it's someone else's question, very. –  Servy Aug 13 '12 at 20:52
 
That is quite possibly the best answer I could have expected. –  David Aug 13 '12 at 20:52
10  
It bugs me to read that comment on every MySQL question that uses the old mysql_ functions. Maybe the OP for one reason or another doesn't have access to the newer functions. Even though the mysql_ functions are "discouraged", they're not obsolete or verboten. –  j08691 Aug 13 '12 at 21:08
1  
@j08691 that's very true, but I'm willing to bet with 99% of questioners it's just a case of a bad tutorial (see below) –  Pëkka Aug 13 '12 at 21:13
 
Can someone explain why I've received two downvotes for this? (Used to be at +2) –  David Aug 13 '12 at 21:14
4  
@Pekka - possibly, but I think there's a difference between discouraging bad coding practices and/or protecting against SQL injections, and making blanket recommendations against using older functions for nothing other than a knee-jerk reaction to seeing the OP using them. It's obviously possible to write clean, secure code using the older mysql_ functions, and while I totally agree with using the newer mysqli_ and PDO options, the comment usually doesn't help the OP. –  j08691 Aug 13 '12 at 21:16
 
@j08691 I agree with your conclusion, albeit for different reasons (see below) –  Pëkka Aug 13 '12 at 21:18
 
@David Most likely because some disagree. (Downvotes often indicate disagreement on Meta SO) –  Bart Aug 13 '12 at 21:19
7  
This is a slippery slope. There are loads of deprecated functions and practices, covering every conceivable programming language, tool and library. Are we going to cover all of them? –  The Grinch Aug 13 '12 at 21:23
1  
@David That said, in this case, I'll throw you a bone; I definitely downvoted, but on Meta, downvoting is different. I disagree with the comment being on every single question I see. At this point, it's useless noise and we're not doing anyone any good. We want to think we're making all database access more secure, but we're really just wasting keystrokes and getting all happy because we think we told someone we know better when in reality, we have no clue what their situation is and how it applies. It's a mutual comment upvote thing. –  casperOne Aug 13 '12 at 21:24
6  
Disagree. Why would PHP's mysql_ functions get special treatment? Shouldn't the site automatically warn you when you're using split? or any of the other hundreds of deprecated PHP functions? And why stop at PHP? What about deprecation warnings for Perl? Ruby? Python? C? Why stop at deprecation warnings? And what about false-positives, where somebody asks "I've heard that the mysql_* functions are, bad what should I use to replace them?" And who decides on which specific functions get a warning and which don't? Who maintains the list of deprecated functions? –  meagar Aug 13 '12 at 21:29
1  
@David you have not caused any kind of rift. People downvote things they disagree with on Meta. It isn't personal and you shouldn't take it as such. –  meagar Aug 13 '12 at 22:15
show 10 more comments

3 Answers

up vote 19 down vote

There's a lot of related questions coming in so this request makes sense, but on second thought, I'm starting to think it doesn't really matter whether we tell people not to use mysql or not.

The vast majority of users who present mysql_* code have copy-pasted it from some crappy tutorial and are going through the first steps of learning programming. They will not heed the PDO advice. They will not add error checking to their code. They just want to know why it doesn't work and what they need to do to make it work.

If they eventually evolve professionally, they will find out that it's deprecated quickly enough (e.g. by looking in the manual). SO can't be responsible for every crappy tutorial out there. I mean, W3Schools sports SQL injection vulnerabilities in its examples to this day.

Look at this work of beauty for example:

$q=$_GET["q"];

... some code in which they connect to the DB, but do NOT escape $q ......

$sql="SELECT * FROM user WHERE id = '".$q."'";

$result = mysql_query($sql);

That infernal piece of crap site alone leads to more bad code than SO can ever fix.

share|improve this answer
 
I understand what you're saying. My point is, saving commenters the process of posting a pointless comment may be advantageous for the site. –  David Aug 13 '12 at 21:08
 
@David I totally understand that, and I don't disagree. Don't get me wrong, I've been posting that comment a lot, too ... but I'm starting to tend more towards "it's pointless to comment in the first place" –  Pëkka Aug 13 '12 at 21:10
2  
Most of the people who ask a question with a mysql_* function have less than 100 rep, anyway, making it, like you said, extremely pointless. –  David Aug 13 '12 at 21:10
2  
I love the examples you see with something like this: $query = mysql_query("SELECT * FROM users WHERE name = " . $_POST['name']); –  David Aug 13 '12 at 21:13
 
@Pekka WOW. That w3 link is revolting! How can they do that to beginners! I'm pretty sure i've copied w3 stuff when I first started... –  d-_-b Oct 9 '12 at 0:17
 
I actually want to visit the sites of these people and SQL inject it to teach them a lesson. Happened to me in the very beginning. I learned my lesson about validating input. –  Cole Johnson Apr 15 at 2:35
add comment
up vote 0 down vote

Comments like that are just noise and should be flagged as such. They don't help answer the question. It's equivalent to asking:

Where can I get a BLT sandwich?

And the comment is:

Bacon is unhealthy. You shouldn't eat meat. I'm a vegetarian.

share|improve this answer
2  
Are you active enough in that particular tag to be able to judge this? –  Pëkka Aug 13 '12 at 21:33
1  
@Pekka That's my opinion on all "You shouldn't" comments that don't help answer the question. –  ThinkingStiff Aug 13 '12 at 21:34
7  
Strongly, strongly disagree. If people were posting "dont' use mysql_*" as an answer, you would be exactly correct. But posting "you shouldn't do this" messages as comments is not only acceptable, it's a good practice and should be encouraged. It's a great thing when you can save somebody from introducing some terrible code to their app, or point out a potential pitfall they're going to face. Why in the world would you want to stand by and let somebody shoot themselves in the foot, knowing full-well that they're going to hurt themselves and that you could prevent it? –  meagar Aug 13 '12 at 21:35
 
@meagar It's difficult know an OP's situation well enough from just their question (nor should they have to explain it) to say whether or not they should or should not be doing something. –  ThinkingStiff Aug 13 '12 at 21:39
2  
No, It's really not, I and many others have been doing it for years now and haven't had any trouble with it. Sometimes it doesn't take deep knowledge of somebody's code to see that they're introducing terrible bugs via a single line or short snippet of notoriously broken code. –  meagar Aug 13 '12 at 21:40
5  
And your example is utter pants. It would be more like somebody asking "Where can I get some bleach and toilet bowl cleaner to whiten my toilet?" and you responding "Don't do that, bleach and toilet bowl cleaner mix to create toxic chloromine gas fumes, you're going to kill yourself". You're saving somebody from a concrete, factual, unambiguously bad thing that they are almost certainly ignorant of. "Bacon is unhealthy" is your opinion, and obviously forcing your unsolicited opinion on others is pretty unwelcome. –  meagar Aug 13 '12 at 21:42
 
@meagar Those are good points and in the example in this question the comment was very well written and friendly. But many times comments like this are not like that. They are often rude and "You're doing it wrong, idiot." sounding. I have a bias against them. –  ThinkingStiff Aug 13 '12 at 21:47
 
Your example would be valid if I asked "I'd like to make a game using C++" and somebody commented "C++ is bloated. You shouldn't use it. I only program in C". See, that's unsolicited holier-than-though opinion, and it makes you an ass. Telling somebody that a deprecated function is deprecated is not opinion, it's fact, and it is not comparable. –  meagar Aug 13 '12 at 21:47
 
If you think their comment is rude, flag it as rude. A moderator would instantly delete a "you're doing it wrong idiot" comment. We have a whole rule in the faq about that, and a whole "rude or offensive" flag to deal with it. It has nothing to do with the topic at hand. –  meagar Aug 13 '12 at 21:48
1  
@meagar Just because a function is deprecated doesn't it shouldn't be used. The OP could be working on legacy code on a server that can't be updated. So saying it's deprecated is not an opinion, but saying they OP shouldn't use it is. –  ThinkingStiff Aug 13 '12 at 21:55
4  
"You shouldn't use deprecated functions" is not opinion. That's why functions are deprecated, that's literally the entire meaning of deprecating a function: Stop using it, it's going away. If the OP wants to head off such comments, he should indicate that he's working with legacy code either in the question or in a comment. I would expect the same from somebody posting obvious buffer-overflow or divide-by-zero errors; if they don't want obvious errors to become the focus of their question, they need to make us aware that they are aware. –  meagar Aug 13 '12 at 21:58
 
@ThinkingStiff you don't know the context. A lot of newbies who clearly know nothing about programming come in asking how to build database stuff from the ground up. They clearly have never written a line of database code in their life, and they have their knowledge from one of the shitty outdated tutorials out there. It's perfectly okay to point out that the library they're looking to use is deprecated (although it may be pointless, see my answer). The number of legit "I have to use this library" uses is very, very small, and will rarely receive this type of comment –  Pëkka Aug 13 '12 at 22:02
 
@Pekka I agree with your answer. It's pointless for the reasons you listed. And if it's pointless, I think it's noise. I also agree I don't know anything about this mysql_* issue or its context. But comments like this set the tone for the question in a negative way to everyone that sees it after the comment. It would be simple enough to answer the question the way you think it should be done and also mention why the way they wanted to do it is not a good idea. The comment by itself doesn't add anything. –  ThinkingStiff Aug 13 '12 at 22:13
add comment
up vote 0 down vote

There, done. This is now part of the MySQL tag wiki for those who so venture to read that page:

Deprecation of mysql_ functions

PHP functions that start with mysql_ have been deprecated as of PHP 5.5.0. If you are in a position to do so, please consider updating your code to use the MySQLi or PDO extensions instead.

But you can only help those who want to be helped or are empowered to effect the change you want to Michael Jackson circa 1988.

share|improve this answer
add comment

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .