Page 1 of 1

Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 19:19
by jhsachs
I'm a somewhat experienced user of Apache, MySQL, etc., but a new user of XAMPP. I resorted to it because I couldn't get the separately installed components to work together on a new Windows 7 computer, although I had no trouble doing that under Windows XP in the past.

I'm having some problems with phpMyAdmin. I'm going to describe them all in a single message because at this point I don't know if they're related or not.

First: I found that the phpMyAdmin packaged with XAMPP has no support for password protection. When it was pointed out to me that this is intentional, I replaced that version with a standard one.

Before I did that, however, I found myself in a situation where my databases were password protected, but phpMyAdmin was quite happy to go into all of them without a password. Later, while I was trying to solve the problem I'll describe next, this ceased to happen. Now the packaged version of phpMyAdmin doesn't work at all, since it can't prompt me to enter the passwords it needs. That's what should have happened all along, so I don't consider it a problem.

But the fact that XAMPP's phpMyAdmin was able to access password-protected databases without a password is a very big problem. Until I understand why it happened, I can't predict whether it may happen again.

    If the system was in a transitional state (e.g., the passwords hadn't been propagated to someplace where they needed to go), I can heave a sigh of relief and thank my stars that the transition is complete.

    If XAMPP built some kind of trapdoor into MySQL for the convenience of phpMyAdmin, that's an unacceptable security risk. I need to remove XAMPP's version of MySQL and install a secure one.

    If XAMPP's phpMyAdmin takes advantage of a trapdoor in an unmodified version of MySQL, that is even more serious. I need to find a version of MySQL that does not have the trapdoor, or if there is none, I need to report it to the MySQL project as a security-related bug.

Second: in the course of this work I found that when I start Apache through the XAMPP Control Panel, two httpd processes appear in Windows Task Manager. When I stop Apache, both go away. Is this normal? It looks very odd to me, and I saw some error messages which suggested that one of them was interfering with the other.

Third: I've found that there's something magical about the pathname localhost/phpmyadmin -- and not in a good way. If XAMPP's original version of phpMyAdmin is in that location, it runs. (It doesn't work now because of the password protection, but it tries.) If I put the standard version in there, my browser returns an "Object Not Found" page. But if I then change the name of the directory to phpm, or phpmyadmi, or phpmyadminn, or anything except phpmyadmin, it works.

I thought this might be a caching problem, but it doesn't appear to be. I tried using a different brand of browser; it made no difference. I tried clearing my standard browser's cache, then simultaneously closing and reopening the browser and stopping and restarting Apache; that also made no difference.

Ie looked in httpd.conf for some command that might be telling it treat phpadmin specially; I found nothing.

Not being able to run phpMyAdmin from a directory named phpmyadmin is a minor irritation, but I need to know what is happening so that I can know what is not happening. Is this oddity the only forewarning I will get of some problem that will cripple the whole development environment later, when I depend on it? Until I know it isn't, I can't trust the environment at all.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 19:37
by Altrea
jhsachs wrote:First: I found that the phpMyAdmin packaged with XAMPP has no support for password protection.

I can't reproduce that. I used nearly every XAMPP version since 1.4.13 and many of them on my Windows 7 Home Premium 64Bit. All of them are able to have a password protection for the root user and/or the phpmyadmin directory.
Can you give more information about which version you use in which configuration, which installation path, etc. All what is needed to create a situation like yours?

jhsachs wrote:Second: in the course of this work I found that when I start Apache through the XAMPP Control Panel, two httpd processes appear in Windows Task Manager. When I stop Apache, both go away. Is this normal? It looks very odd to me, and I saw some error messages which suggested that one of them was interfering with the other.


Yes, thats normal on Windows systems. Like you can read here:
Because Apache for Windows is multithreaded, it does not use a separate process for each request, as Apache can on Unix. Instead there are usually only two Apache processes running: a parent process, and a child which handles the requests. Within the child process each request is handled by a separate thread.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 20:35
by jhsachs
First: I found that the phpMyAdmin packaged with XAMPP has no support for password protection.


I can't reproduce that.... Can you give more information about which version you use in which configuration, which installation path, etc.

Well, I'll try. I confess to a certain amount of mental whiplash from being told first that it's intended to work that way, and then that the behavior can't be reproduced without details of my configuration. See my earlier topic, http://community.apachefriends.org/f/viewtopic.php?f=16&t=47314.

I installed the ZIP distribution of XAMPP Windows 1.7.4, downloaded yesterday from Apache Friends' download page for Windows. The installation directory is C:\XAMPP. The OS is Windows 7 Enterprise.

phpInfo says PHP Version 5.3.5; Apache/2.2.17 (Win32); mysqlnd 5.0.7-dev - 091210 - $Revision: 304625 $. I can provide more information if you tell me what you want.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 20:44
by Altrea
Please tell me how you have tried to put a password for the users.

There are several ways like:
- XAMPP security script
- MySQL Command Line
- phpmyadmin permissions tab
- mysql users table

and if you have changed anything in the XAMPP phpmyadmin configuration file

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 21:15
by jhsachs
I used a standard version of phpMyAdmin to change each user's password and remove the "Any" user's permissions for each database. I did not touch the phpMyAdmin config file.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 21:25
by Altrea
wait: Topic was that the phpmyadmin build in XAMPP doesn't support password protection.
If you have problems with the password protection of your standard phpmyadmin, this is not the right place.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 22:01
by jhsachs
wait: Topic was that the phpmyadmin build in XAMPP doesn't support password protection.
If you have problems with the password protection of your standard phpmyadmin, this is not the right place.


I think you have misunderstood something in the sequence of messages. I have no problem with password protection in the standard phpmyadmin. If there is a problem, it is in XAMPP's version of phpMyAdmin and/or MySQL.

Let me know if this doesn't become clear when you revisit my original post, and I'll try to explain it differently.

Re: Three oddities associated with phpMyAdmin

PostPosted: 17. June 2011 22:43
by Altrea
jhsachs wrote:If there is a problem, it is in XAMPP's version of phpMyAdmin and/or MySQL.

Good. Again my question:
How do you have tried to change the password in the XAMPP MySQL Database with the XAMPP phpmyadmin?

Or why do you think that XAMPPs MySQL / phpmyadmin don't support password protection?
I think thats the point i don't got.

Re: Three oddities associated with phpMyAdmin

PostPosted: 18. June 2011 00:14
by jhsachs
XAMPP's MySQL/phpMyAdmin definitely does or did not support password protection, in two respects.

First, on my system it doesn't prompt for a log-in. Never did.

And, in the other topic I started, Sharley told me that it's not supposed to prompt for a log-in, and referred me to a passage in readme_en.txt which confirms that.

Second, for a limited but alarming time, XAMPP's MySQL/phpMyAdmin went right ahead and accessed databases that I had password-protected with the standard version of phpMyAdmin, despite the fact that it had no password. (N.B., it stopped doing that at some point.)

It occurs to me that the states of the two versions of phpMyAdmin may have gotten mixed up, despite the fact that I was not running them at the same time. That is, the XAMPP version may have picked up the username/password that I entered when I logged in to the standard version, enabling it to access password-protected databases even though it could not prompt me for a password itself.

Re: Three oddities associated with phpMyAdmin

PostPosted: 18. June 2011 11:55
by JonB
'root' always trumps 'users'

:D

Re: Three oddities associated with phpMyAdmin

PostPosted: 18. June 2011 12:04
by Altrea
jhsachs wrote:First, on my system it doesn't prompt for a log-in. Never did.

The XAMPP phpMyAdmin is configured to take the password from the phpmyadmin config.inc.php file. But this can be changed very easy.

jhsachs wrote:And, in the other topic I started, Sharley told me that it's not supposed to prompt for a log-in, and referred me to a passage in readme_en.txt which confirms that.

You have completely misunderstood what Sharley and the part in the readme_en.txt wants to tell you.

jhsachs wrote:Second, for a limited but alarming time, XAMPP's MySQL/phpMyAdmin went right ahead and accessed databases that I had password-protected with the standard version of phpMyAdmin, despite the fact that it had no password. (N.B., it stopped doing that at some point.)

How did you password protect them? Have you given passwords to the root users? If not: The root users have global rights over all tables and databases.

Remember that the phpmyadmin in XAMPP is nearly a standard phpmyadmin but with some configuration that can be done in phpmyadmin. You can proof that if you take the same phpmyadmin version from standard and compare all the files with them in the XAMPP installation.

jhsachs wrote:It occurs to me that the states of the two versions of phpMyAdmin may have gotten mixed up, despite the fact that I was not running them at the same time. That is, the XAMPP version may have picked up the username/password that I entered when I logged in to the standard version, enabling it to access password-protected databases even though it could not prompt me for a password itself.

No, that can only be a cache issue or something you don't understood about the components, password protection or something else.

XAMPP supports password protected mysql users like the standard components do too. There is no backdoor for the developers which isn't there in the standard components.