PMA PHPMyAdmin Password

Problems with the Windows version of XAMPP, questions, comments, and anything related.

PMA PHPMyAdmin Password

Postby w4vy » 07. October 2008 18:10

Hi there could someone help me to secure the pma account , everything I do it says its wrong. Can someone from outside access PHPMyAdmin ?
Image
User avatar
w4vy
 
Posts: 153
Joined: 04. June 2008 09:58
Location: England

Postby Sharley » 07. October 2008 19:02

Never known anyone being able to access phpMyAdmin from outside using user pma.

This post might help:
http://community.apachefriends.org/f/viewtopi ... 3400#83400
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Postby w4vy » 07. October 2008 22:31

Thanks m8 I checked that post out and I have already done what was relevent to me from it.

If I add a password to the pma user and even if it is also added in the user table in mysql_db it still always says connection issue the password is wrong or doesn't match, also I can't shut down the MySQL server if there's a password for the pma user. I just want it secure as I have gone to the login screen and tried user pma with no password and it let me in which I thought was a bit dodgy and what if it was accessible from outside my Lan. I will have to try at a friends house.

btw. if I add a pw I can't log in it says wrong pw again but it isn't wrong. Could it be that I need to MD5 the PW ?

Thanks for your help.

w4vy
Image
User avatar
w4vy
 
Posts: 153
Joined: 04. June 2008 09:58
Location: England

Postby Sharley » 08. October 2008 01:45

You don't set a password for the user pma as that user's privileges are set to only SHUTDOWN phpMyAdmin.

Check the pma user privileges, after a login using your root user credentials, by clicking on the little edit icon next to pma under the heading Privileges in phpMyAdmin and make sure that SHUTDOWN is the only privilege ticked (available) to the pma user - Global Privileges - SHUTDOWN only.

Thats as secure as it gets for user pma as it now can only shutdown phpMyAdmin and that is why a password for the pma user will give errors as there is no where to enter a password when shutting down phpMyAdmin.

You will find when you login using pma with no password that this user can do nothing in phpMyAdmin to cause any damage to your MySQL databases period, no matter where he gains access from.

Of course if the root user gives the pma user more privileges in phpMyAdmin then you have created a very dangerous security risk.

The root user is the only user that can change the pma privileges and is why you should never use the root user's credentials when creating databases for other scripts like blogs and forums etc. - they should always have their own individual user/pass combination with specific privileges to each database created.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Postby w4vy » 10. October 2008 12:51

Thankyou Sharley I wish more people would explain things like you just did m8. I have reverted back to no password and done everything you said to do and I can confirm the user PMA has only Shutdown access to phpMyAdmin. Thanks again.

w4vy

p.s what you said about using root for forums and blogs "cough" well I did that but now I will make a user just for the forum but what privliges will the new user need plz ?

Thanks in advance.

w4vy
Image
User avatar
w4vy
 
Posts: 153
Joined: 04. June 2008 09:58
Location: England

Postby Sharley » 10. October 2008 13:29

When you create your database for a particular script you set the user's permissions for that database only.

In phpMyAdmin select Privileges then click on the edit icon for the user you want to use for the database or select Add new user to create a new user that you will associate with your database.

If it is a new user you will have a different page returned with places to add your user and provide a password - select local from the drop box for the Host but do not grant global privileges and leave none selected in the Database for user section - click Go and you will arrive at the page similar to the next instructions below.

Now drill down till you see an item named Database-specific privileges.

Now select the database from the drop box Add privileges on the following database:

You will be given another page with a list of privileges.
It is usually correct practice to give your user full access to the database you select by clicking on check all
Now click the first Go under the privileges list.

You will get a message that you have done the job.

Now click on the Home button top left frame.

You can now do a check that all is as you intended and exit phpMyAdmin

Now login to phpMyAdmin using the user/pass for the database you have just edited.

You will be allowed in but all you should see is the database relevant to that user.

Let me know if you can't follow the above or you have any issues with it.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 51 guests