Databases Reference
In-Depth Information
phpMyAdmin's scripts never have to modify anything inside
this directory, except when we use the
Save
export
ile
to
server
feature (explained in
Chapter 6
).
Another recommendation is to rename the default
phpMyAdmin
directory to
something less obvious; this discourages probing of our server. This is called security
by obscurity and can be very effective—but avoid choosing other obvious names
such as
admin
.
Another possible attack is from other developers having an account on the same
web server as we do. In this kind of attack, someone can try to open our
config.
inc.php
file. As this file is readable by the web server, someone could try to include
our file from their PHP scripts. This is why it is recommended to use PHP's
open_
basedir
feature, possibly applying it to all directories from which such attacks could
originate. More details can be found at
http://php.net/manual/en/ini.core.
php#ini.open-basedir
.
Displaying error messages
phpMyAdmin uses the PHP's custom error-handler mechanism. One of the benefits
of this error handler is to avoid path disclosure, which is considered a security
weakness. The default settings related to this are:
$cfg['Error_Handler'] = array();
$cfg['Error_Handler']['display'] = false;
You should let the default value for display be
false
, unless you are developing a
new phpMyAdmin feature and want to see all PHP errors and warnings.
Protecting with IP-based access control
An additional level of protection can be implemented, this time verifying the
Internet Protocol
(
IP
) address of the machine from which the request is received. To
achieve this level of protection, we construct rules allowing or denying access, and
specify the order in which these rules will be applied.
Search WWH ::
Custom Search