[#13803] - [RFC] Remove ext/mysql Database Driver in 4.0
- Closed
- 18 Feb 2017
- Medium
- Build: staging
- # 13803
PHP's ext/mysql was deprecated at 5.5 and removed in 7.0. The corresponding driver is already deprecated in our code base but doesn't have a scheduled removal version (basically it's "when PHP 7 is the minimum").
Of all of the drivers in the CMS' inventory, this is the only driver which cannot support prepared statements, a feature which offers improved security and input handling in database queries. There are ways to emulate it, but it just isn't the same as using the native engine/API to handle it (see WordPress' implementation as an example where the practice is frowned upon).
Continuing to support this driver in effect blocks any potential effort to use prepared statements with the database layer once all required changes are implemented (the Framework package has all of the changes so I know the amount of effort required).
Therefore, I would like to propose that we remove this deprecated driver with 4.0 instead of prolonging it to a later release.
joomla-cms-bot
- | Labels |
Added:
?
|
||
it's ok for me to remove on 4.0
I agreed to removal in 4.0 too
I agree to
Maybe we should extend than this check: https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_admin/postinstall/joomla40checks.php for checking on mysql vs mysqli and throw a error on mysql driver.
Well obviously we would have to if this goes through. Considering a PR to actually follow through with it hasn't been opened yet, hard to implement a check for a plan that has no conclusive action (yet).
I agree too. As Tobias needs checking and maybe automatic switching on update?
There is already logic since 3.5 to try and auto switch based on the configuration. Core should NEVER try to change the configuration.php file on update though.
I just want to point that out as even if we have a auto switch since 3.5 in place there are still 19% of the 3.6+ sites reporting mysql as there database driver in the stats.
https://developer.joomla.org/about/stats.html
This means that 19,87% of the sites don't have mysqli or pdo installed on the servers yet. If the decision is done we should inform them that the database driver they are using is not supported in 4.0 any more
This does NOT mean that 19.87% of Joomla 3.5+ sites don't have MySQLi or PDO. The auto switch behavior only kicks in if a site is running PHP 7 and you have public $dbtype = 'mysql'; in your configuration.php file. We aren't trying to switch sites on a PHP 5 version. https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/database/driver.php#L256
Also, our stats server doesn't collect the database configuration based on what's in your configuration.php file but rather the active database driver. So we don't have a way of tracking sites which upgraded to PHP 7 but left the deprecated driver configured.
Ah i have not checked the code and I remembered wrong than, sorry. Maybe we should place a Postinstal + action button that support that switch if mysqli is supportet on the server?
As first step of the removal.
I would not put an action button in a postinstall message that makes a global configuration change. I would rather advise that the user needs to explicitly go to the config and make the change themselves. It seems like we're asking for trouble if we put that kind of button anywhere.
We only do the auto-convert behavior as a means of detecting a 100% invalid configuration on a known environment.
+1 for removal in 4.0
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-02-18 21:39:39 |
| Closed_By | ⇒ | mbabker |
I would second that