PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*?

Question

On first inspection of the differences in application of the mysql*() and mysqli*() families of functions, it appears to me that

$seta = mysql_query("SELECT * FROM table WHERE field = $Filter", $database);

Can be rapidly replaced with:

$seta = mysqli_query($database, "SELECT * FROM table WHERE field = $Filter");

Similarly, it also appears that

IF ($A = mysql_fetch_array($seta)) {
    do {
    //code here
    } while ($A = mysql_fetch_array($seta));
}

Could be replaced with:

IF ($A = mysqli_fetch_array($seta)) {
    do {
    //code here
    } while ($A = mysqli_fetch_array($seta));
}

Will this work the way I am expecting it to? As it worked before mysqli*()?

PLEASE NOTE : I am not asking if I SHOULD do this, only if I CAN do this. I know full well that slapping a band-aid on a broken leg is useless... That said, I don't have that many hours of coding/testing time before the Demo in March this is being prepped for.

Yes, I understand the this is vulnerable code. I won't go to production without safeguards. I also realize that I am not using all the power of the mysqli*() family of functions this way.

My goal is to refactor everything properly when there isn't such a heavy time crunch (Yes, I know, famous last programmer words). I just need the patched code to run for a Demo then I can retire it.

I have high hopes that with a working prototype -- both in situ and on a server I'm spinning up just to demonstrate the need for software updates -- I'll be able to leave the PHP v4.x blues behind.

Project:
PHP/MySQL better user searching

Also checked:
How to upgrade from mysql* to mysqli*?
PHP Migrating from mysql* to mysqli
Above titles were trimed of underscores to prevent formatting

Answer 1

The quick and dirty method, with emphasis on dirty , is to do it this way by converting mysql_query to mysqli_query and so on. The problem is mysql_query is really clunky to use so preserving that coding style is not going to help clean anything up.

Although I'd strongly recommend switching to PDO, it's a more flexible and capable database layer, if you want mysqli then what you want to do is employ parameterized queries and bind_param to add user data to your query. This solves the vast majority of SQL injection bugs out of the gate. I'd also suggest using the object-oriented interface so your updated code is obvious. The difference of a single i can be easy to overlook, plus it's typically less verbose.

In other words, your replaced code looks like:

$stmt = $database->prepare("SELECT * FROM table WHERE field=?");
$stmt->bind_param('s', $filter);
$res = $stmt->execute();

If you're disciplined about doing this you should catch all your SQL mistakes.

PDO is nicer because of named parameters:

$stmt = $database->prepare("SELECT * FROM table WHERE field=:filter");
$res = $stmt->execute(array('filter' => $filter));

That usually means less code in the long-run.