Databases Reference
In-Depth Information
Security
Security can be examined at various levels:
•
•
•
•
Directory-level protection for phpMyAdmin
IP-based access control
The databases that a legitimate user can see
In-transit data protection
Directory-Level Protection
Suppose an unauthorized person is trying to execute our copy of phpMyAdmin. If
we used the simple
config
authentication type, anyone knowing the URL of our
phpMyAdmin will have the same effective rights on our data as us. In this case,
we should use the directory-protection mechanism offered by our web server
(for example,
htaccess
) to add a level of protection.
If we chose to use
http
or
cookie
authentication types, our data would be safe
enough, but we should take the normal precautions with our password (including its
periodic change).
The directory where phpMyAdmin is installed contains sensitive data. Not only the
configuration file but also ultimately all scripts stored there must be protected from
alteration. We should ensure that apart from us, only the web server effective user has
read access to the files contained in this directory and that only we can
write
to them.
phpMyAdmin's scripts never have to modify anything
inside this directory, except when we use the
Save export
file to server
feature, which is explained in Chapter 7.
Another possible attack is from other developers having an account on the same web
server as us. In this kind of attack, someone can try to open our
config.inc.php
file. Since this file is readable by the web server, someone could try to
include
our file from their PHP scripts. This is why it is recommended to use PHP's
open_basedir
feature, possibly applying it to all directories from which such attacks
could originate.
IP-Based Access Control
An additional level of protection can be added, this time verifying the
Internet
Protocol
(
IP
) address of the machine from which the request to use phpMyAdmin
is received.
Search WWH ::
Custom Search