Database Reference
In-Depth Information
Security
Security can be examined at various levels:
•
How we can protect the phpMyAdmin installation directory
•
Which workstations can access phpMyAdmin
•
The databases that a legitimate user can see
•
How in-transit data protection and access protection can be enforced via a
physical USB key on the workstation
Directory-level protection
Suppose an unauthorized person is trying to execute our copy of phpMyAdmin.
If we use the simple
config
authentication type, anyone knowing the URL of our
phpMyAdmin will have the same effective rights to our data as we do. In this case,
we should use the directory protection mechanism offered by our web server
(for example,
.htaccess
, a file name with a leading dot) to add a level of protection.
If we decide on using
http
or
cookie
authentication types, our data would be safe
enough. However, we should take normal precautions with our password (including
its periodic change).
The directory where phpMyAdmin is installed contains sensitive data. Not only the
configuration file but also all scripts stored there must be protected from alteration.
We should ensure that apart from us, only the web server effective user has read
access to the files contained in this directory, and that only we can write to them.
phpMyAdmin's scripts never have to modify anything inside this
directory, except when we use the
Save export file to server
feature
(explained in Chapter 7).
Another possible attack is from other developers having an account on the same web
server as we do. In this kind of attack, someone can try to open our
config.inc.php
file. As this file is readable by the web server, someone could try to
include
our file from their PHP scripts. This is why it is recommended to use PHP's
open_basedir
feature, possibly applying it to all directories from which such attacks
could originate.
Search WWH ::
Custom Search