×
  • Shared Hosting

    Fast reliable and affordable cPanel Web Hosting from $2.99 per month.

  • Reseller Hosting

    Multiple websites? No problem with our multi-site hosting package. From $5.99 per month.

  • Annual Hosting

    Save money on web hosting by paying annually. Starting at $29.99 per year.

  • VPS Servers

    Need more power and resources? Choose our VPS server, only $7.99 per month.

  • FREE HOSTING PLAN

    Ideal for students and unemployed. Register


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Adminer - Database management in a single PHP file
#11
its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
#12
(12-29-2016, 11:52 PM)strokerace Wrote: its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
Well seeing you're not a n00b, I can imagine you've got it sorted out. I just find in general it's not instinctive for users. One has to look for a step by step tutorial, or clarification of things. Like for the longest time in cPanel, and I think it's still the case, once one is in phpmyadmin, there is no log out button. cPanel also doesn't ask for a login and password. One just gets in it, without having to log in. Which I think is a security omission. Not all panels however allow one to get in without logging in from the panel. Webuzo panel asks for a login and password, and phpmyadmin can be logged out of at the end of the session.
#13
(12-30-2016, 07:29 AM)Genesis Wrote:
(12-29-2016, 11:52 PM)strokerace Wrote: its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
Well seeing you're not a n00b, I can imagine you've got it sorted out. I just find in general it's not instinctive for users. One has to look for a step by step tutorial, or clarification of things. Like for the longest time in cPanel, and I think it's still the case, once one is in phpmyadmin, there is no log out button. cPanel also doesn't ask for a login and password. One just gets in it, without having to log in. Which I think is a security omission. Not all panels however allow one to get in without logging in from the panel. Webuzo panel asks for a login and password, and phpmyadmin can be logged out of at the end of the session.
Ummm, if you are using Cpanel with no login, then you or someone did something to it. Did you use the login in with CpanelID to log in. if so, then it will use your ID created for that computer and log in automatically. Which is not good if someone gains access to your computer.  I have to log into Cpanel every time I go to it.
As for PHPmyadmin, yes there is no log out at it doesn't need one. If the panel is set up correctly, as soon as you log out of the cpanel, it should terminate your session, or as soon as you close the window/tab. They have streamed lined it now. It opens another window now so you can access Mysql functions incase there is an issue. Also, majority of modern day sql files are set up to create a new DB name if you don't have one set up. Then all you other features for PHPmyadmin are on top now so you can click the tab that you want and still be able to access your db on the left.
#14
@strokerace Think you misunderstood. Of course one needs a login to get into cPanel. That goes without saying. But I'm saying that even with the login into cPanel, ideally for security there should be a separate login for phpmyadmin when one clicks on it. Also, once one has been in phpmyadmin, then there should be a logout of phpmyadmin that is in addition to the logout for cPanel.

I don't think people realize how vulnerable for hacking phpmyadmin is. Particularly considering that all of the Website and access to the Admin of the Website info is contained in the database that is available through phpmyadmin. A clever hacker can basically access or take over the whole Website by just getting access to the phpmyadmin. That is why people who are really savvy about security (I don't say I am as I do use phpmyadmin with all of my websites), but your real command line Geeks would never use phpmyadmin through a panel of any kind.
#15
Finally, I figured how to use adminer. I install PHP and MySQL server on my android. But I can't find a good sql manager for my android. And here comes adminer. very handy.
#16
(12-30-2016, 10:36 AM)Genesis Wrote: @strokerace Think you misunderstood. Of course one needs a login to get into cPanel. That goes without saying. But I'm saying that even with the login into cPanel, ideally for security there should be a separate login for phpmyadmin when one clicks on it. Also, once one has been in phpmyadmin, then there should be a logout of phpmyadmin that is in addition to the logout for cPanel.

I don't think people realize how vulnerable for hacking phpmyadmin is. Particularly considering that all of the Website and access to the Admin of the Website info is contained in the database that is available through phpmyadmin. A clever hacker can basically access or take over the whole Website by just getting access to the phpmyadmin. That is why people who are really savvy about security (I don't say I am as I do use phpmyadmin with all of my websites), but your real command line Geeks would never use phpmyadmin through a panel of any kind.

That is not true. PHPmyadmin is just a gui. Don't think PHPmyadmin is vulnerable to hacking. In order for them to access your PHPmyadmin, they would need your Cpanel login. I checked it last night. I logged out of My panel with the PHPmyadmin window open, I tried to access a few things and it asked me to log back into Cpanel. That is one password that no one can hack unless they use a keylogger or installed software on the server to find Cpanel login. Yes, there is software to do that. So there is no vulnerablities in PHPmyadmin.

For an example, if your site has a SQL vulnerablity, the only thing they would get is your database name and password for that database. With that, at most they can only gain admin access to your web pages that use that info. In short, they could lock you out of your website until you log into your Cpanel and remove them from the database.
#17
(12-30-2016, 04:12 PM)strokerace Wrote: That is not true. PHPmyadmin is just a gui. Don't think PHPmyadmin is vulnerable to hacking. In order for them to access your PHPmyadmin, they would need your Cpanel login. I checked it last night. I logged out of My panel with the PHPmyadmin window open, I tried to access a few things and it asked me to log back into Cpanel. That is one password that no one can hack unless they use a keylogger or installed software on the server to find Cpanel login. Yes, there is software to do that. So there is no vulnerablities in PHPmyadmin.

For an example, if your site has a SQL vulnerablity, the only thing they would get is your database name and password for that database. With that, at most they can only gain admin access to your web pages that use that info. In short, they could lock you out of your website until you log into your Cpanel and remove them from the database.
I didn't say cPanel was insecure Strokerace. I said that ideally one needs an ADDED layer of security for phpmyadmin. Particularly considering that phpmyadmin contains almost all of the Website admin info in it. Like all of the access information. One should be prompted for a separate password to get into phpmyadmin inside cpanel, and be able to log out properly in addition to logging out of cpanel.

For me the equivalent is phpmyadmin being the "safe" that you put your most valuable items in. It's in a house with double locks on the door (cPanel). You want everything to be as safe as you can, but your most valuable items you want double security for.

I disagree that cPanel is completely safe - particularly in a shared hosting environment. We had a situation at another Server a few years ago when a hacker managed to hack a shared hosting Website as an act of vengeance (the target had copied a hacker forum theme), and as a bonus he managed to hack himself into cpanel, probably not even planning to do so, but managed to do it. Once in cpanel he can get into any phpmyadmin he wants to. Given that there isn't a second password he has to worry about. He didn't get into the other Websites thankfully (an ethical hacker :)), but he seriously damaged some of the functions in cpanel that took a long time to fix.

I also disagree with you that the hacker would only get the passwords. With WordPress definitely all of the content, the pages and posts are contained inside the database. Only content that is outside the database are the images and some of the functions. If the hacker would have chosen to get into phpmyadmin of any given Website he could have seriously wrecked it, or taken it over. He doesn't only get access to admin info, but in the case of WordPress for certain, he gets almost all of the content as well. Only content he doesn't get are the images and functions.
#18
Ok, first off, even if PHPmyadmin had a password, still doesn't stop someone from getting access to your database. All they need is your admin password for the Wordpress admin and they have everything anyway.
So, even if they could get your Cpanel, they can still wipe out your DB from the cpanel. Then all your files from the file manager.

What should have a password is MYSQL database as that is what controls phpmyadmin.

I did mention that you can hack Cpanels. There are 2 scripts that I know of that can uploaded to a users site and when executed from their webbrowser can hack all Cpanels and WHM passwords and user names. Does it work, yes it does in most cases. But as I said, you can't access PHPmyadmin without logging into Cpanel. So why a second password? 1 in 99% of servers, you would use the same user name for the login, 2, You don't need to access it to get or delete a DB information. You just need to know some sql commands if the db is vulnerable to sql injection. This is how 85% of all website hacks take place.

I did a bit of reading to make sure that I am explaining this right. Not sure if I am or not so I found this on the phpmyadmin help pages.

If I am reading this right, it looks like you could have a seperate login for it which needs to set up by the server admin.
 HTTP authentication mode Cookie authentication mode
  • You can use this method as a replacement for the HTTP authentication (for example, if you’re running IIS).
  • Obviously, the user must enable cookies in the browser, but this is now a requirement for all authentication modes.
  • With this mode, the user can truly log out of phpMyAdmin and log in back with the same username.
  • If you want to log in to arbitrary server see $cfg['AllowArbitraryServer'] directive.
  • As mentioned in the Requirements section, having the mcrypt extension will speed up access considerably, but is not required.
Signon authentication mode
  • This mode is a convenient way of using credentials from another application to authenticate to phpMyAdmin.
  • The other application has to store login information into session data.
See also$cfg['Servers'][$i]['auth_type'], $cfg['Servers'][$i]['SignonSession'], $cfg['Servers'][$i]['SignonScript'], $cfg['Servers'][$i]['SignonURL']Config authentication mode
  • This mode is the less secure one because it requires you to fill the $cfg['Servers'][$i]['user'] and $cfg['Servers'][$i]['password'] fields (and as a result, anyone who can read your config.inc.php can discover your username and password). But you don’t need to setup a “controluser” here: using the $cfg['Servers'][$i]['only_db'] might be enough.
  • In the ISPs, multi-user installations section, there is an entry explaining how to protect your configuration file.
  • For additional security in this mode, you may wish to consider the Host authentication $cfg['Servers'][$i]['AllowDeny']['order'] and $cfg['Servers'][$i]['AllowDeny']['rules'] configuration directives.
  • Unlike cookie and http, does not require a user to log in when first loading the phpMyAdmin site. This is by design but could allow any user to access your installation. Use of some restriction method is suggested, perhaps a .htaccess file with the HTTP-AUTH directive or disallowing incoming HTTP requests at one’s router or firewall will suffice (both of which are beyond the scope of this manual but easily searchable with Google).
Swekey authentication modeThe Swekey is a low cost authentication USB key that can be used in web applications. When Swekey authentication is activated, phpMyAdmin requires the users’s Swekey to be plugged before entering the login page (currently supported for cookie authentication mode only). Swekey Authentication is disabled by default. To enable it, add the following line to config.inc.php:$cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey.conf';
You then have to create the swekey.conf file that will associate each user with their Swekey Id. It is important to place this file outside of your web server’s document root (in the example, it is located in /etc). A self documented sample file is provided in the examples directory. Feel free to use it with your own users’ information. If you want to purchase a Swekey please visit http://phpmyadmin.net/auth_key since this link provides funding for phpMyAdmin.See also$cfg['Servers'][$i]['auth_swekey_config']Securing your phpMyAdmin installationThe phpMyAdmin team tries hardly to make the application secure, however there are always ways to make your installation more secure:
  • remove setup directory from phpMyAdmin, you will probably not use it after initial setup
  • prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
  • properly choose authentication method - Cookie authentication mode is probably the best choice for shared hosting
  • in case you don’t want all MySQL users to be able to access phpMyAdmin, you can use $cfg['Servers'][$i]['AllowDeny']['rules'] to limit them
  • consider hiding phpMyAdmin behind authentication proxy, so that MySQL credentials are not all users need to login
#19
Also, as for wordpress, if I get the login for the admin panel, I don't get access to the DB. If the DB is vulnerable to sql injection, I can create a new admin user and password and give me access to the admin panel. I don't think the admin panel of wordpress gives me access to the DB though. It does give me access to any plugin etc to the site. So at most, I could alter those.

But, if I can use sql injection on the DB, I can dump the whole DB. I also use a program called Acunetix Web Vulnerbility scanner to scan any website. It scans for 1000's of vulnerablities on the website and tells you how sevre they are. Its a paid program that is well worth the money if you are into network security. 9 times out of 10, you don't need to know much about hacking to get into a site if you use this program on a wordpress site. Some of the built in features that user use, can cause their sites to get hack without a password or sql injection. I found one site did a complete back up, include SQL DB and was accessable from the web browser. All a user had to know was where the back up program would store the back up files.
Inside of it, it gave me the SQL user and password. All I had to do with use a program to run the SQL and create myself an admin user account. Or I could have used that info to download the latest DB info, and then created a clone version on the site on another server.

Remember, people are so gung ho about SEO, that I could have set up some SEO stuff and everyone who be directed to the site and they would think it was the real one. Or you can go one step further and see if you can hack the DNS server and redirect the domain to the newly created site.

So, does it really matter if PHPmyadmin has a login/logout? No, it doesn't change anything in the scope of security. What matters the most, is the server admin keeps the server up to date, patches installed, watches Oday sites. Then the website owner has to monitor his own files and check for updates, secuirty issues and make sure he logs in and out properly every time.

When I had my Dev site, I had people checking the code for bugs, and security issues and repairing them. What may be ok today, may not be tomorrow. I have even given some hackers my site addy and told them to hack it. This way I knew what to fix. Seeing it was my own code, no one other then me was doing the patching. And my skill level for hacking is not even worth mentioning as its very very low. So I don't know all the tricks or tools that a hacker would use, thus the reason I use the vulnerablity scanner to help me with security risk. It will also tell you that some may be false positives, but still worth checking into just the same.

I can tell you there is not enough time in a day to keep up. Your head will explode before you even get into 1/4 of the stuff that is out there.

I know this is long winded, but its why I hardly use other peoples programs any more. They can't be trusted, they get lazy, sloppy with their code and no one double checks their work anymore.
  




Users browsing this thread:
1 Guest(s)

Adminer - Database management in a single PHP file00