Anyone using phpMyAdmin?

software development

#1

Hi,

I use phpMyAdmin at another of my hosts and it rocks. I’m going to try to install it here for my various DH sites too. Just wondering if anybody else has installed it here and if there are any issues I should be aware of.

thanks!

Barry


#2

I’ve never used it but a lot of customers have sucessfully. One thing to note is that if you have sensitive information in your database, you should be a bit cautious since if you’re using the version of PHP that’s compiled into Apache, you will have to put your database password in a file that’s readable by Apache (and thus most likely by other users). We will soon have a version of PHP (with some extra features like GD libraries) running as a CGI; if you run php as a CGI it runs as your user so you can keep database passwords private.


#3

Thanks Will. I’m going to try it.

A thought on DB passwords: if I store my connection info in an include file outside the public html directory, haven’t I prevented some of the danger? What vulnerabilities remain?

I’d like to avoid running php as a CGI for now.

Barry


#4

[quote]A thought on DB passwords: if I store my connection info in an include
file outside the public html directory, haven’t I prevented some of the
danger? What vulnerabilities remain?

[/quote]

Other users can still read your password if it’s readable by the system. We could set the ownership to be owned by apache’s group for you and then you could make it group readable but not world readable… but other users could still write PHP scripts to read your include file. And you’d have to contact us to manually chgrp any files you needed this done for which is kind of a pain.

We do have some new restrictions as far as how far outside their home directories users can go using PHP, however this function doesn’t work as well as PHP says it does, so we’ve had to set some users’ base paths to ‘/home’. Thus there are no guarantees (although I’ve honestly never seen a case where one user definitely stole another user’s password). This is unfortunate, but running PHP as a CGI (which as you may now has its own set of problems) is really the only way to be reasonably sure someone else won’t get access to your database password if they want to badly enough.


#5

Hi!

To avoid having clear text passwords in a world readable config.inc.php file, I want to use “advanced”/http authentication on phpmyadmin.
For that, a control user with read-only permissions to the system’s mysql database is needed, as explained in phpmyadmin documentation. Does such a user already exist? If not, would you mind to create it?:

  • For ‘http’ and ‘cookie’ modes, phpMyAdmin needs a controluser that
    has only the SELECT privilege on the mysql.user (all columns
    except “Password”), mysql.db (all columns) & mysql.tables_priv
    (all columns except “Grantor” & “Timestamp”) tables.
    You must specify the details for the controluser in the
    config.inc.php3 file under the $cfgServers[$i][‘controluser’]&
    $cfgServers[$i][‘controlpass’] settings.
    This example assumes you want to use pma as the controluser and
    pmapass as the controlpass:

GRANT USAGE ON mysql.* TO ‘pma’@‘localhost’ IDENTIFIED BY
’pmapass’;
GRANT SELECT (Host, User, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,
Process_priv, File_priv, Grant_priv, References_priv, Index_priv,
Alter_priv) ON mysql.user TO ‘pma’@‘localhost’;
GRANT SELECT ON mysql.db TO ‘pma’@‘localhost’;
GRANT SELECT (Host, Db, User, Table_name, Table_priv, Column_priv) ON
mysql.tables_priv TO ‘pma’@‘localhost’;
… and if you want to use the bookmark feature:
GRANT SELECT, INSERT, DELETE ON <bookmark_db>.<bookmark_table> TO
’pma’@‘localhost’;

pma would be any other username you find fit, and localhost would be %.dreamhost.com

Thanks a lot.