PHP: What to work with?

Okay, so I am working with a community project for my local city.

At the moment I just made the login pages and one page inside sessions..

Now before I code anything more I would like to make sure that further coding (and maybe recode what I have done until now) is simple and secure.

I am using of normal direct mysql_query()´s to speak with the database.

I have seen more and more stuff made in libraries called "PDO" and some others too. 开发者_StackOverflow社区Are they more secure? faster maybe? How do you work with it?

I mean when I am working with queries I just use the simple select,where,from,insert,delete,group by etc. What do you do in PDO? Can you convert the queries you've made in normal queries to PDO statements?

Example: How can I write this in PDO:

mysql_quey("SELECT * FROM users WHERE id = '$id'");

Any link to a tutorials to PDO, with an relative normal understanding english would be great.

Or maybe is there a better alternative than PDO? I dont need that maximum ultimate the best of all and advanced. I just want it secure to prevent normal and typical SQL injections.

Any detailed and well informed answer will be accepted.

PDO is way better, for the following reasons:

• Supports multiple DBMSs, not only MySQL, but also sqlite, ODBC etc.
• Native transaction support
• Support for prepared statements which prevent SQL injection.

Using prepared statements, you would write your code like this:

$sth = $dbh->prepare('SELECT * FROM users WHERE id=:id');
$sth->execute(array(':id'=>$id));

For more information, see the documentation on prepare.

You should work with a framework. There are plenty of them: Kohana, Symfony, CakePHP, CodeIgniter, etc.

Most will handle not only the database issues (as the mySQL injection) but a lot of conventional features as well as templates, reusable elements, routes, etc.

Have a look at them.

The most convenient way to deal with security problems when interacting with a SQL database like MySQL is using prepared statements. With those you don't have to escape values as queries are made joining two parts: the statement itself (generic with placeholders) and the values added later in the right place. That's the most robust form of protection against SQL injections.

Libraries like PDO provide other advantages such as abstraction (unless you need hacks specific to a database platform you can reuse the same code even if you change DBMS), OO interface, helper functions, better interaction with objects (see ORM) and other things you may or may not need depending on your project.

In the end I would suggest considering a library a bit more high level than simple mysql_* as it's just the most basic interaction.