I’m going to recommend PDO over MySQLi simply because it’s available on more systems, and it’s syntax may be a little bit easier to learn for newbies. PDO has been bundled with the main PHP distribution since PHP 5.1, and has been in PECL even longer, while MySQLi has only been included since 5.3. Whichever you use is up to personal preference and project requirements of course, but I will be sticking with PDO for the duration of this tutorial.

Suppose you have a simple bit of PHP that executes a MySQL query and ouputs a list of items to screen. It might look something like this:

    $db = mysql_connect("localhost", "username", "password");
    mysql_select_db("database", $db);

    $string = mysql_real_escape_string($string, $db);
    $query = "SELECT * FROM my_table WHERE item_cat='".$string."' ORDER BY item_date DESC LIMIT 5";
    $result = mysql_query($query);

    if ( mysql_num_rows($result) > 0 ) {
        while ( $row = mysql_fetch_assoc($result) ) {
            echo $row['item_title'] . '<br />';
        }
    }

You’re escaping any input from a third party with mysql_real_escape_string() to prevent injection attacks, I hope. SQL injection is one of the most common ways data is stolen or destroyed by attackers, and it’s also fairly easy to discourage. Escaping input, while not necessarily 100% effective, should prevent most injection attacks. (And it’s pretty much your only choice with the old MySQL extension.) A better solution is parameterized statements, which we’ll get to later.

If your server has PDO installed (which is probably the case if you have PHP 5.1 or greater), migrating is fairly easy. The basic principles are the same, though the syntax differs just a bit. It’s actually a bit cleaner and more object-oriented.

The example above would look something like this:

$db = new pdo("mysql:host=localhost;dbname=database_name", "username", "password");
$string = $db->quote($string);
$query = "SELECT * FROM my_table WHERE item_cat=$string ORDER BY item_date DESC LIMIT 5";
$result = $db->query($query);

if ($result != false) {
    while ( $row = $result->fetch(PDO::FETCH_ASSOC) ) {
        echo $row['item_title'] . '<br />';
    }
}

$result  = null;

Doesn’t that look nicer? Feel free to take a moment to appreciate the object-oriented goodness.

The biggest difference is probably the connection line. The “DSN” syntax used to connect to the database might look a bit strange at first, but it’s an important part of PDO. Since PDO can connect to other types of databases besides MySQL (e.g. PostgreSQL and SQLite), it uses a fairly standard connection string that specifies the server type besides the database name.

Escaping strings works essentially the same, but the syntax is slightly different. You need to remember to not put quotes around the variable in your SQL string, as the PDO::quote() method will do it for you. If you compare the SQL statements in the two examples, you’ll see the lack of quotations in the PDO example.

One gotcha to be aware of with PDO is that you need to set your $result variable to null if you intend to reuse it later on in the same script. You can end up with some weird results if you don’t. So just get in the habit of setting it to null or using unset() on it.

Now how about those parameterized statement things? They’re a way of ensuring that your code will be immune to SQL injection. Instead of mashing PHP strings together and passing the resulting query to the database engine, you keep the query and the potentially dangerous data separate. Placeholders are put in the query, and the data assigned to those placeholders is sent along with it.

$db = new pdo("mysql:host=localhost;dbname=database_name", "username", "password");

$sql = "SELECT * FROM my_table WHERE item_cat= :mystring ORDER BY item_date DESC LIMIT 5";
$statement = $db->prepare($sql);

$statement->execute(array(
    ':mystring' => $my_string
));

$result = $statement->fetchAll();

if ($result != false) {
    while ( $row = $result->fetch(PDO::FETCH_ASSOC) ) {
        echo $row['item_title'] . '<br />';
    }
}

$result  = null;

Parameterized queries may have some performance issues on MySQL versions prior to 5.1, but they shouldn’t have any significant disadvantages on more modern systems. Security-wise, they’re considered to be better than simply escaping strings.

I hope this little guide has been sufficient to get you started with PDO. You will probably want to check out the documentation to see what else it can do. While you don’t necessarily need to go out and update your old code right away—the PHP devs aren’t going to drop support for the old ext/mysql extension for quite a long time, if they ever get rid of it completely—but you should definitely familiarize yourself with the newer techniques and use them in new projects.

You can find a nice introduction and examples at WP Engineer. Here’s a sample of how you would go about changing the title of a post with a certain ID:

$wpdb->update( $wpdb->posts, array( 'post_title' => $new_post_title ),
 array( 'ID' => $the_post_id ) );

That’s just scratching the surface, but it gives a good idea of how the database functions work.

For even more in-depth reading, there’s a good Codex page on the subject as well.

As common as they may be, databases sure are mysterious critters. It look me awhile to grasp the concept of them at first, and even longer for me to pick-up the skills required to make use of them. In addition to knowing a scripting language like PHP or Perl, and how to submit a query to the DB server, you also need to know the SQL language.

I just finished a great book on MySQL. Learning MySQL by Seyed M.M. Tahaghoghi and Hugh Williams is a comprehensive and well-explained book that teaches you from the ground up about MySQL databases and how to work with them. It introduces the concept of a database, walks you through installing the MySQL server software (if you’re not already running it), explains querying, then moves on to the real meat of the book: Structured Query Language, or SQL. It covers basic SELECTS and INSERTs, JOINS, nested queries, table and column types, and really everything you need to know to get started.

Following chapters cover topics like using PHP or Perl to interact with databases (as opposed to using a MySQL prompt) and securing web applications. There are also sections on planning database structures optimally, optimizing performance.

The book is written in a manner that should make it easy to follow, it’s full of code examples to try out, and overall is enough to give you a general to intermediate knowledge of MySQL. It also works as a handy reference.