Safe coding practices?

sneakyimp

I'm starting work on a site where the original developer has chosen to use the auto_prepend_file setting in php.ini to establish a connection to the db (using pear's MDB2 class). Is that really safe? That means EVERY SINGLE PHP FILE on the server has a db object defined which could potentially be abused?

Also, I'm not sure how it's used yet, but he has a function which appears to be used as a string escape function for db entry. Rather than using [man]mysql_escape_string[/man], it uses [man]htmlspecialchars[/man] with a 2nd param of ENT_QUOTES. Might there exist some quote character of some kind which mysql recognizes as a quote which is unaffected by htmlspecialchars?

NogDog

I'm not sure about the security risk of having the database connection stuff in the auto_prepend file, but it certainly seems like an unnecessary overhead for scripts that do not need it. Under the theory of layered defenses, anything you can do to potentially make a hacker's job more complicated is good; so if it only takes a small effort to remove that code from the auto_prepend file and put it just where it is needed, I would do so.

Using htmlspecialchars as a database escape function only sort of makes sense for actual HTML strings being saved in the database. It is really more applicable when outputting the data to the browser. While I do not think quotes would be a problem with that, quotes are not the only thing dealt with by functions like mysql_escape_string. If using the Pear MDB2 package, you should probably be using its quote() method for such escaping.

sneakyimp

thanks, nawgdawg.