Databases Reference
In-Depth Information
Suppose we want to allow access by default, denying access only to some username/
IP pairs, we should use:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
In this case, all
deny
rules will be applied first, followed by
allow
rules. If a case is
not mentioned in the rules, access is granted. Being more restrictive, we would want
to deny by default. We can use:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
This time, all
allow
rules are applied first, followed by
deny
rules. If a case is not
mentioned in the rules, access is denied. The third (and most restrictive) way of
specifying rules order is:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
Now,
deny
rules are applied before
allow
rules. A username/IP address pair must
be listed
in the
allow
rules and must not be listed in the
deny
rules, for access to
be granted.
Blocking root access
As the
root
user is present in almost all MySQL installations, it's often the target
of attacks. A parameter permits us to easily block all phpMyAdmin logins of the
MySQL's
root
account, using the following:
$cfg['Servers'][$i]['AllowRoot'] = FALSE;
Some system administrators prefer to disable the
root
account at the MySQL server
level, creating another less obvious account possessing the same privileges. This has
the advantage of blocking
root
access from all sources, not just from phpMyAdmin.
Protecting in-transit data
HTTP is not inherently immune to network sniffing (grabbing sensitive data off the
wire). So, if we want to protect not only our username and password but all the data
that travels between our web server and browser, then we have to use HTTPS.
To do so, assuming that our web server supports HTTPS, we just have to start
phpMyAdmin by putting
https
instead of
http
in the URL as follows:
https://www.mydomain.com/phpMyAdmin/