Difference between Mysqli and PDO in PHP.
For accessing a database in PHP, we have got two choices: MySQLi (MySQL improved) and PDO (PHP Data Objects) . It is always good to know about these in detail before choosing one.
The major differences are listed here.
- Database Support
- Database Connection.
- Security
- Performance
Database Support
Database Support | |
PDO | MySQLi |
Cubrid | MySQL |
FreeTDS / Microsoft SQL Server / Sybase | |
Firebird | |
IBM DB2 | |
IBM Informix Dynamic Server | |
MySQL | |
Oracle Call Interface | |
ODBC v3 (IBM DB2, unixODBC and win32 ODBC) | |
PostgreSQL | |
SQLite 3 and SQLite 2 | |
Microsoft SQL Server / SQL Azure | |
4D |
Database Connection
PDO
$pdo = new PDO("mysql:host=localhost.com;dbname=data", 'username', 'password');
Mysqli, procedural style
$mysqli = mysqli_connect('localhost.com','username','password','data');
Mysqli,object oriented style
$mysqli = new mysqli('localhost.in','username','password','data');
Security
Both PDO and MySQLi provide SQL injection security, as long as developer follow them with features like escaping and parameter binding with prepared statements.
For example a hacker is trying to inject some malicious SQL through the ‘name’ HTTP query parameter (POST):
$_POST['name'] = "'; DELETE FROM users; /*"
If we fail to escape, it will be added in query “as it is” it will delete all rows from users table as PDO and MySQLi support multiple queries.
// PDO, “manual” escaping
$name = PDO::quote($_POST['name']);
$pdo->query("SELECT * FROM users WHERE name = $name");
// mysqli, “manual” escaping
$name = mysqli_real_escape_string($_POST['name']);
$mysqli->query("SELECT * FROM users WHERE name = '$name'");
PDO::quote() not only escapes the string, but it also quotes it. But mysqli_real_escape_string() will only escape the string, you will need to apply the quotes manually.
// PDO, prepared statement
$pdo->prepare('SELECT * FROM users WHERE name = :name');
$pdo->execute(array(':name' => $_POST['name']));
// mysqli, prepared statements
$query = $mysqli->prepare('SELECT * FROM users WHERE name = ?');
$query->bind_param('s', $_POST['name']);
$query->execute();
I always recommend you to use prepared statements with bound queries instead of PDO::quote() and mysqli_real_escape_string().
Performance
Both PDO and MySQLi are quite fast. For SELECT query, MySQLi was about 2.5% faster for non-prepared statements and about 6.5% faster for prepared statements
Summary
PDO | MySQLi | |
Database support | 12 different drivers | MySQL only |
API | OOP | OOP + procedural |
Connection | Easy | Easy |
Named parameters | Yes | No |
Object mapping | Yes | Yes |
Prepared statements (client side) |
Yes | No |
Performance | Fast | Fast |
Stored procedures | Yes | Yes |
Finally, MySqli is native for php and works very well with MySql. So, you can choose Mysqli only if you are working on Mysql database and not familiar with PDO statements. Its always recommended to prefer PDO, as it supports twelve different database drivers including Mysql database. Performance point of view Mysqli is better and security point of view, both are safe as long as the developer follows recommended statements.