Databases Reference
In-Depth Information
Logging in to an account without a password
MySQL's default installation leaves a server open to intrusion because it creates a
MySQL account named
root
without a password—unless a password has been
set by the MySQL distributor. The recommended remedy for this weakness in
security is to set a password for the
root
account. In the eventuality that we cannot
set one or do not want to set one, we will have to make a configuration change to
phpMyAdmin. Indeed, a server-specific configuration parameter,
$cfg['Servers']
[$i]['AllowNoPassword']
exists. Its default value is
false
, which means that no
account is permitted to log in without a password. Generally, this directive should
remain
false
to avoid this kind of access through phpMyAdmin, as hackers are
actively probing the web for insecure MySQL servers. Go through the
Securing
phpMyAdmin
section for other ideas about protecting your server.
If the
AllowNoPassword
parameter is left to
false
and a login
attempt is made without a password, an
Access
denied
message
is displayed.
Authenticating a single user with config
We might have the need to automatically connect to a MySQL server via
phpMyAdmin, using a fixed username and password, without even having been
asked for it. This is the precise goal of the
config
authentication type.
For our first example, we will use this
config
authentication. However, in the
Authenticating
multiple
users
section, we will see more powerful and versatile
ways of authenticating.
Using the
config
authentication type leaves our phpMyAdmin
open to intrusion, unless we protect it as explained in the
Securing
phpMyAdmin
section of this chapter.
Here, we ask for
config
authentication, and enter our username and password for
this MySQL server:
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'marc';
$cfg['Servers'][$i]['password'] = 'xxx';
We can then save the changes we made in
config.inc.php
.
Search WWH ::
Custom Search