From a security standpoint IF you are using the object driven version, there is little if any difference so long as you use prepared queries and keep the connection local in scope, only passing it to where it's needed. IF you are passing values to a query, you use prepare to make a statement, then pass the values separately. If you are blindly dumping values into your query string, you've completely missed the point! The real differences between them is that mysqli provides functional wrappers for people too stupid to use objects, only works with mysqli, and has a bit more awkward a prepare structure since you pretty much have to use bindparam. PDO has a slew of advantages not the least of which being you can use it to interface more than one SQL engine. The use of named labels, or as they want to call it "placeholders" makes query maintenance significantly simpler as you don't have to "count the question marks" -- and the ability to pass an array to -> execute instead of using bindparam usually results in less code and clearer syntax. It's all the other things about PDO that make me favor it, not any sort of security issues. From a security standpoint, so long as you are using prepared queries when plugging in values instead of adding values to your query string like a mouth-breathing halfwit, there's really little difference between them. Particularly if you kill off "emulated prepares". Honestly, the first time I saw a mysql query string in PHP some fifteen years ago, the string of expletives that came forth from my mouth made Andrew Dice Clay sound like Mr. Rogers...
I'm surprised people still use mySQL Functions in PHP and not exclusively PDO (or a similar library). In fact, 10 years ago the use of mysql functions were in question. Why on earth would this topic ever come up today in 2015???? I blame newbies reading articles and posts by other newbies written ages ago...
mysql_ != mysqli http://php.net/manual/en/book.mysqli.php mysqli can be used as an object, or via wrapping functions. The old mysql_ functions don't even play into this conversation.
Easy mistake to make, done it a few times myself. Kind-of wish they killed off mysqli in PHP 7. I mean part of the whole migration and sets of improvements has been to kill off redundancies -- and you don't get much more redundant than mysql vs. PDO. I know why they kept it though, the procedural wrappers are a crutch for the people who "can't handle objects" or still have their head stuck in mysql_ functionality. Which is why you still see people using mysqli doing dumbass things like putting the connection object in global scope, login data in define, and blindly pasting variables into their query strings.
My guess, about keeping it in PHP7 is that it does still do it's job just fine, and some people use it exclusively. If it ain't broke, don't fix it, right? It's better to just keep it, instead of forcing people that use it to again upgrade! Just imagine if you didn't know about PDO and you upgraded an application from MySQL to MySQLi and then they forced you again to move MySQLi to PDO!
Well, for that argument to work, they could have at least gotten rid of the procedural wrappers. At least that would've exposed quite a few sites out there using legacy, outdated code.
Things is with the procedural wrappers, being engine specific, and not quite being as robust on some simpler tasks... it is pretty well broken and just lets people continue to sleaze together pages any-old-way. Then I'd say they chose poorly; but again the only reason IMHO people would choose mysqli over PDO is the functional wrappers being a crutch for the feeble minded fools who can't handle objects or just did 1:1 replacements with their broken mysql_ code without actually fixing anything... Which I've seen WAY too much of with dumbasses still building query strings with values in them -- COMPLETELY missing the point. Admittedly, you can still actually do that with PDO, but it might at least have been a bit swifter a kick in the ass to tell people to Golf Alpha Foxtrot Charlie.
They probably did choose poorly, but, not everyone is a PHP artisan PHP can't just be upgraded to serve the needs of the developers that pay attention, some developers are lazy and get along just fine! Also, it took me far too long to work out your "GAFC" there. I'm not proud!
Laughably just using that word sets off my scammy sense these days. Don't know how that became a "loaded word" for me, but I suspect it's all the artsy fartsy types running around calling themselves "designers" in complete ignorance of usability and accessibility.