{"id":2757,"date":"2015-04-29T11:17:22","date_gmt":"2015-04-29T05:47:22","guid":{"rendered":"http:\/\/cmscomputer.in\/blog\/?p=2757"},"modified":"2015-07-06T23:26:50","modified_gmt":"2015-07-06T17:56:50","slug":"difference-between-mysqli-and-pdo-in-php","status":"publish","type":"post","link":"https:\/\/www.cmscomputer.in\/blog\/difference-between-mysqli-and-pdo-in-php\/","title":{"rendered":"Difference between Mysqli and PDO in PHP."},"content":{"rendered":"<p>For accessing a database in PHP, we have got two choices: MySQLi (MySQL improved) and PDO (PHP Data Objects) . It is always good to know about these in detail before choosing one.<\/p>\n<p>The major differences are listed here.<\/p>\n<ol>\n<li>Database Support<\/li>\n<li>Database Connection.<\/li>\n<li>Security<\/li>\n<li>Performance<\/li>\n<\/ol>\n<h2>Database Support<\/h2>\n<table border=\"1\" width=\"455\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"455\"><strong>Database Support<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"423\"><strong>PDO<\/strong><\/td>\n<td width=\"32\"><strong>MySQLi<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">Cubrid<\/td>\n<td width=\"32\">MySQL<\/td>\n<\/tr>\n<tr>\n<td width=\"423\">FreeTDS \/ Microsoft SQL Server \/ Sybase<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">Firebird<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">IBM DB2<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">IBM Informix Dynamic Server<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">MySQL<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">Oracle Call Interface<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">ODBC v3 (IBM DB2, unixODBC and win32 ODBC)<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">PostgreSQL<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">SQLite 3 and SQLite 2<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">Microsoft SQL Server \/ SQL Azure<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<tr>\n<td width=\"423\">4D<\/td>\n<td width=\"32\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Database Connection<\/h2>\n<p><em>PDO<\/em><br \/>\n<code>$pdo = new PDO(\"mysql:host=localhost.com;dbname=data\", 'username', 'password');<\/code><\/p>\n<p><em>Mysqli, procedural style<\/em><br \/>\n<code>$mysqli = mysqli_connect('localhost.com','username','password','data');<\/code><\/p>\n<p><em>Mysqli,object oriented style<\/em><br \/>\n<code>$mysqli = new mysqli('localhost.in','username','password','data');<\/code><\/p>\n<h2>Security<\/h2>\n<p>Both PDO and MySQLi provide SQL injection security, as long as developer follow them with features like escaping and parameter binding with prepared statements.<br \/>\nFor example a hacker is trying to inject some malicious SQL through the \u2018name\u2019 HTTP query parameter (POST):<br \/>\n<code> $_POST['name'] = \"'; DELETE FROM users; \/*\" <\/code><\/p>\n<p>If we fail to escape, it will be added in query \u201cas it is\u201d it will delete all rows from users table as PDO and MySQLi support multiple queries.<br \/>\n<code>\/\/ PDO, \u201cmanual\u201d escaping<br \/>\n$name = PDO::quote($_POST['name']);<br \/>\n$pdo-&gt;query(\"SELECT * FROM users WHERE name = $name\");<br \/>\n\/\/ mysqli, \u201cmanual\u201d escaping<br \/>\n$name = mysqli_real_escape_string($_POST['name']);<br \/>\n$mysqli-&gt;query(\"SELECT * FROM users WHERE name = '$name'\");<br \/>\nPDO::quote() not only escapes the string, but it also quotes it. But mysqli_real_escape_string() will only escape the string, you will need to apply the quotes manually.<br \/>\n\/\/ PDO, prepared statement<br \/>\n$pdo-&gt;prepare('SELECT * FROM users WHERE name = :name');<br \/>\n$pdo-&gt;execute(array(':name' =&gt; $_POST['name']));<br \/>\n\/\/ mysqli, prepared statements<br \/>\n$query = $mysqli-&gt;prepare('SELECT * FROM users WHERE name = ?');<br \/>\n$query-&gt;bind_param('s', $_POST['name']);<br \/>\n$query-&gt;execute();<\/code><br \/>\nI always recommend you to use prepared statements with bound queries instead of PDO::quote() and mysqli_real_escape_string().<\/p>\n<h2>Performance<\/h2>\n<p>Both PDO and MySQLi are quite fast. For SELECT query, MySQLi was about 2.5% faster for non-prepared statements and about 6.5% faster for prepared statements<\/p>\n<h2>Summary<\/h2>\n<table width=\"600\">\n<thead>\n<tr>\n<td><\/td>\n<td><strong>PDO<\/strong><\/td>\n<td><strong>MySQLi<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Database support<\/strong><\/td>\n<td>12 different drivers<\/td>\n<td>MySQL only<\/td>\n<\/tr>\n<tr>\n<td><strong>API<\/strong><\/td>\n<td>OOP<\/td>\n<td>OOP + procedural<\/td>\n<\/tr>\n<tr>\n<td><strong>Connection<\/strong><\/td>\n<td>Easy<\/td>\n<td>Easy<\/td>\n<\/tr>\n<tr>\n<td><strong>Named parameters<\/strong><\/td>\n<td>Yes<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td><strong>Object mapping<\/strong><\/td>\n<td>Yes<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td><strong>Prepared statements<\/strong><br \/>\n<strong>(client side)<\/strong><\/td>\n<td>Yes<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td><strong>Performance<\/strong><\/td>\n<td>Fast<\/td>\n<td>Fast<\/td>\n<\/tr>\n<tr>\n<td><strong>Stored procedures<\/strong><\/td>\n<td>Yes<\/td>\n<td>Yes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Finally, MySqli is native for php and works very well with MySql. So, you can choose Mysqli only if you are working on Mysql database and not familiar with PDO statements. Its always recommended to prefer PDO, as it supports twelve different database drivers including Mysql database. Performance point of view Mysqli is better and security point of view, both are safe as long as the developer follows recommended statements.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For accessing a database in PHP, we have got two choices: MySQLi (MySQL improved) and PDO (PHP Data Objects) . It is always good to know about these in detail before choosing one. The major differences are listed here. Database Support Database Connection. Security Performance Database Support Database Support PDO<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_joinchat":[],"footnotes":""},"categories":[1,7],"tags":[],"class_list":["post-2757","post","type-post","status-publish","format-standard","hentry","category-uncategorized","category-web-technologies"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/posts\/2757"}],"collection":[{"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/comments?post=2757"}],"version-history":[{"count":9,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/posts\/2757\/revisions"}],"predecessor-version":[{"id":4063,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/posts\/2757\/revisions\/4063"}],"wp:attachment":[{"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/media?parent=2757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/categories?post=2757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cmscomputer.in\/blog\/wp-json\/wp\/v2\/tags?post=2757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}