PDO instance security

Question

Having a Class with pre-built queries that can be altered is the main known method; but say that there is about 80 tables, each holding thousands of rows of data, it would take so long to write each of them queries...

I'd just like to understand why having an open connection in a main scope is actually a security issue - how can they "intercept" it?

Take for example:

// Main index page
$db = new PDO('mysql:host=x;dbname=x;','user','pass');

Would this be a threat and if so how? (since its never reverted back to null)

Or would this be a more secure method of doing the above since the instance is never saved?

final class DataCenter
{
    public static function GetInstance()
    {
        return new PDO('mysql:host=x;dbname=x;','x','x');
    }
}

$smpt = DataCenter::GetInstance()
        ->Prepare("SELECT * FROM x");
$smpt->Execute();
$smpt->FetchAll();
print_r($smpt);

If this is confusing, I apologise - I just want to know: if instancing a PDO connection which never dies or is reverted back to null is a security issue, how so? Since the users cannot see the code.

Thanks in advance.

Answer 1

establishing connections in a 'global' scope can be 'intercepted'

Well, no, that's completely bunk. Variable scope is only a thing that helps you organise your code in a maintainable and sane way. It is not a security measure by any stretch of the imagination. If somebody, anybody, can "intercept" global variables on your server, then they can intercept all kinds of variables and memory contents of your server. Because it would mean that they're on your server poking around your memory. If an attacker is there already, you're dead in the water anyway.

Global variables aren't any more insecure "from outside" your server (where your average attacker would reside, hopefully) than any other kind of variable.

Note that there are still any number of other arguments against global variables, but security isn't one of them.