Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does phpMyAdmin pose security risk on production

Tags:

database

mysql

phpmyadmin

The VPS I was using used to have phpMyAdmin pre-installation option but removed it stating it poses security risk. Does it?

If so do you recommend an alternative for browsing DB on production (other than running SQL commands in console)?

like image 515
Tam Avatar asked Sep 07 '10 19:09

Tam

People also ask

Is phpMyAdmin safe for production?

No, simply. phpMyAdmin has an infamous security history as detailed on SecurityFocus. You don't say what platform you're using, but assuming that you have remote access, I suggest: When you need to perform basic tasks such as checking status or performing a dump.

Is phpMyAdmin a security risk?

The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as secure as possible. But still web application like phpMyAdmin can be vulnerable to a number of attacks and new ways to exploit are still being explored.

Should phpMyAdmin be publicly accessible?

phpmyadmin is too much of a beast to secure. You'd need mod_security and a week of time debugging the alerts just to disable half of the rules to ensure the functionality of phpmyadmin. Conclusion: Don't make it publicly accessible.

How do I protect phpMyAdmin?

The first step in securing phpMyAdmin is to change the default directory alias that is used to access phpMyAdmin. By default, any user can access phpMyAdmin by accessing the server URL: https://<SERVER IP/DOMAIN>/phpmyadmin. The Alias will now be used as the directory used to access the phpMyAdmin home page.

2 Answers

Any extra software you add to a system adds complexity. Complexity is the enemy of security.

PHP webapps are notorious for sloppy coding and certainly phpMyAdmin has had more than its share of security holes in the past. You can certainly mitigate the damage by eg. putting behind HTTPS with a client certificate, but that's not going to prevent cross-site-request-forgery attacks.

For a production machine, I'd really prefer to stick to the console.

like image 104
bobince Avatar answered Oct 23 '22 17:10

bobince

There have definitely been security wholes in the past. Probably will find new ones in the future. It's always a risk to open that kind of a tool to public web space.

I recommend installing database management software, and connecting to your production DB through an SSH tunnel. If you're on a Mac, I'd install Sequel Pro for free. On other platforms Navicat (and other similar software) is available, but it does cost money.

like image 34
Ryan Williams Avatar answered Oct 23 '22 17:10

Ryan Williams
Sign in to Comment

Related questions

MySQL Unrecognized Keyword near CASE
How to import mysqlclient in python3 [duplicate]
Hibernate - unable to find Entity with ID
Can't connect to db from docker container [duplicate]
Is there a mysql function that will format a unix timestamp?
What is the best way to use number format in a MySQL query?
SQL: select all unique values in table A which are not in table B
How to connect Django to a MySQL database over an SSL connection?
Recommended MySQL tuning utility for Windows
Trim commas with MySQL?
mysql - cannot create view that contains union
How to insert Hindi language in Mysql
PHP: MySQL server has gone away
Mysql - Mysql2::Error: Incorrect string value:
Insert MySQL timestamp column value with SqlAlchemy
Select all fields where fieldone is not equal to null + Propel
Create nested json object using php mysql
MySQL bitwise operations, bloom filter
How to validate a MYSQL Date in PHP?
UNIQUE and PRIMARY KEY

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!