The Simple PHP MySQL Library



How can I be sure that MeekroDB is actually safe?
MeekroDB has been Google's #1 search result for "php mysql library" for over 2 years, and has thousands of deployments worldwide. In that time, we have never had any security issues. The code is developed with a healthy level of paranoia, and automated unit tests check every new version for problems. Our code is open source, and many developers have examined it for security flaws and found none.
While there is no such thing as a 100 percent guarantee, an excellent security track record like ours is a good place to start.

Are there any extra precautions I should take to prevent SQL injection?
MeekroDB makes SQL injection 100% impossible if you follow 2 simple rules. First, never use the %l (literal) and %b (backtick) placeholders with user-supplied data. These placeholders doesn't escape your data the way all of the others do. Second, never change the character set at runtime using MySQL commands SET NAMES or SET CHARACTER SET. If you need to change the character set, only use DB::$encoding at the same place where you set your MySQL username/password.

Can I have multiple MySQL connections?
Absolutely! The easiest thing to do is just switch between databases with DB::useDB(). If you actually want multiple connections, you should use new MeekroDB() to create non-static instances of MeekroDB.

I have a long-running PHP script, and keep getting "MySQL server has gone away".
You need the line "mysqli.reconnect = 1" in your php.ini file. This file might be in a different place depending on your server, but Ubuntu has /etc/php5/cli/php.ini and /etc/php5/apache2/php.ini. Because of PHP restrictions, there is no way to change this setting without having root and MeekroDB can't set it for you. See PHP documentation on this for more.

I'm pulling a very large data set from MySQL, and keep getting out-of-memory errors.
You should use DB::queryRaw() to get a mysqli_result object, and then use PHP's mysqli_result->fetch_assoc to grab rows one at a time.

When I use insert(), it tries to insert a NULL value for a missing variable, but my table columns are set to NOT NULL.
By default, insert() uses NULL if you pass a variable that's unset or set to null. You can change this by setting DB::$usenull to false.

How do I test if an INSERT was successful?
DB::insert() does not return anything. If an INSERT operation fails, MySQL treats this as an error (same as if you gave an invalid MySQL query). By default, this means MeekroDB's error handler will run, but you can change that behavior with the variables $error_handler and $throw_exception_on_error.

On the other hand, a DB::insertIgnore() will not trigger an error if the INSERT fails. In this case, you can check if it worked by checking the DB::affectedRows() count.

How do I use MySQL's DATE_FORMAT(), since %d has a special meaning to MeekroDB?
Like this:

DB::queryFirstField("SELECT DATE_FORMAT('2009-10-04 22:23:00', %s)", '%H:%i:%s');

Why don't you support prepared statements?
We plan to add prepared statements in the future, but they are not a high priority because, for the vast majority of web apps, they are not necessary. The PHP/mysqli benchmarks show that there is almost no measurable speed advantage for prepared statements, and in the most common cases they are actually a little bit slower. They're not necessary for security, either -- with proper automated escaping like what MeekroDB does, non-prepared queries are just as safe.

Need Help?

MeekroDB is actively developed, so I'm interested in hearing about any difficulties you might be having. I'm ready to fix bugs and make improvements.

Copyright (C) 2008-2019 :: :: LGPL v3 :: GitHub Tracker