replace mysql with pdo

[Xkeeper0]

Right now there is a mixture of raw mysql_...() commands and commands run through a mysql pseudo-class. these should be replaced with a pdo-based class (and queries redone to use prepared statements).

[SquidEmpress]

I highly recommend doing this. That way, you won't need to use addslashes, magic_quotes, and the auto IP ban thingy for "UNION SELECT". Don't know if you been up to update with Acmlmboard 2, but it now has completely dropped the magic_quotes dependency as all dynamic queries are now prepared queries.

Also, when you have keys in a string, you should put single quotes around the array and braces around the variable and the brackets. For example, print "User {$user['name']} ate the pineapple."; rather than print "User $user[name] ate the pineapple."; This will prevent the Notice: undefined index: name in /home/whatever/index.php on line 10 errors from showing up.

Good luck.

[Xkeeper0]

I am well aware of these issues -- the majority of the code dates back to 2001.

P.S. I do not appreciate you sending death threats to members, so kindly go away, forever. Thanks.

[SquidEmpress]

OK, fine. She was a former friend of mine who stabbed me in the back months ago so I personally don't care.

[Arisotura]

while I can only recommend prepared queries, the portability argument of PDO is moot: PDO can handle multiple database systems, but that's about it, it doesn't cover the syntax differences in more complex/specific SQL queries

[Kak2X]

For what I've tested in my fork, it is possible to have an almost compatible PDO class that can replace the MySQL one.

"Almost", because:

• For what I've seen, in PDO+MySQL there are no scrollable cursors, so instances of mysql_data_seek have to be worked around. It's not really an issue, but it's there. (this means you'd have to cache the actual arrays instead of the result pointer)
• The correct way to select a database is to do so when connecting. Not an issue at all, but it means that $sql->selectdb can't be used.
• The PDO equivalent of mysql_result only allows to select the column - not the row. No queries use that functionality anyway, so who cares.
• Strings escaped by PDO::quote should not be enclosed by quotes since those are added automatically, unlike in mysql_real_escape_string. When using prepared statements it doesn't matter since the function isn't going to be used, but since there are none as-is, it may mean recreating that mysql_ function by manually escaping the affected characters.

Though converting also means replacing the remaining raw mysql_ commands to calls to the mysql class, because mixing PDO and mysql_ commands obviously doesn't do any good.