PhpMyAdmin
From InstallationWiki
zelelacdo
| Official Page |
| Project Documentation |
| Download |
|
In this article we discuss installing phpMyAdmin and configuring it for first-time use. You may need to install phpMyAdmin in the following scenarios:
- Your host provider did not install a central copy.
- Your provider installed it, but the version installed is not current.
- Your are working directly on your enterprise's web server.
Some host providers offer an integrated web panel where we can manage accounts, including MySQL accounts, and also a file manager that can be used to upload web content. Depending on this, the mechanism we use to transfer phpMyAdmin to our web space will vary. We will need some specific information before starting the installation:
- The web server's name or address. Here, we will assume it is
www.mydomain.com. - Our web server's account information (username, password), which will be used either for FTP or SFTP transfer, SSH login, or web control panel login.
- The MySQL server's name or address. Often this is
localhost, which means it is located on the same machine as the web server. We will assume this to bemysql.mydomain.com. - Our MySQL server's account information (username, password).
[edit] System Requirements
The up-to-date requirements for a specific phpMyAdmin version are always stated in the accompanying Documentation.html. It is strongly recommended that the PHP mcrypt extension be present for improved performance in cookie authentication mode, more on this in the following article.
On the browser side, cookie support must be activated, whatever authentication mode we use.
[edit] Downloading the Files
There are various files available in the Downloads section of http://www.phpmyadmin.net. There might be more that one version offered here; always download the latest stable version. We only need to download one file, which includes all the language files and works regardless of the platform (browser, web server, MySQL, or PHP version). If we are using a server supporting only PHP3, the latest stable version of phpMyAdmin is not a good choice to download. I recommend using version 2.2.7-pl1, which is the latest version that supports PHP3. Thus we will have to download a file with .php3 in its name. In this case, while following the present instructions, we will have to transpose to .php3 each time we talk about .php files.
The files offered have various extensions: .zip, .tar.bz2, .tar.gz. Download a file having an extension for which you have the corresponding extractor. .zip is the most universal file format in the Windows world, although it is bigger than .gz or .bz2 (common in the Linux/Unix world). In the following examples, we will assume that the chosen file was phpMyAdmin-2.8.2.zip.
After clicking on the appropriate file, we will have to choose the nearest mirror. The file will start to download, and we can save it on our computer.
[edit] Installation
The next step depends on the platform you are using; the coming sections detail the procedure for some common platforms. You may proceed directly to the relevant section.
[edit] Installation on a Remote Server Using a Windows Client
Using the File explorer, we double-click the phpMyAdmin-2.8.2.zip file we just downloaded on the Windows machine; a file extractor should start, showing us all the scripts and directories inside a main phpMyAdmin-2.8.2 directory, as shown here using PowerArchiver:
Use whatever mechanism your file extractor offers to save all the files, including subdirectories, to some location on your workstation. Here, we have chosen c:\, so a c:\phpMyAdmin-2.8.2 directory has been created for extraction.
Now it's time to transfer the whole directory structure c:\phpMyAdmin-2.8.2 to the web server in our web space. We use our favorite FTP software or the web control panel for the transfer.
The exact directory under which we transfer phpMyAdmin may vary: It could be our public_html directory or another directory where we usually transfer web documents. For further instructions about the exact directory to be used or the best way to transfer the directory structure, we can consult our host provider's help desk.
After the transfer is complete, these files are no longer needed on our Windows client; so we can remove them.
[edit] Installation on a Local Linux Server
Let's say we chose phpMyAdmin-2.8.2.tar.gz and downloaded it directly to some directory on the Linux server. We move it to our web server's document root directory (for example, /var/www/html) or to one of its subdirectories (for example, /var/www/html/utilities). Then we extract it with the following shell command or by using any graphical file extractor our window manager offers:
tar -xzvf phpMyAdmin-2.8.2.tar.gz
We ensure that the permissions and ownership of the directory and files are appropriate for our web server; the web server user or group must be able to read them.
[edit] Installation on Local Windows Servers (Apache, IIS)
The procedure here is similar to that described in the Installation on a Remote Server Using a Windows Client section, except that the target directory will be under our DocumentRoot (for Apache) or our wwwroot (for IIS). Of course, we do not need to transfer anything after the modifications of config.inc.php, as the directory is already on the web space.
Apache is usually run as a service, so we have to ensure that the user under which the service is running has normal read privileges to access our newly created directory. The same principle applies to IIS, which uses the IUSR_machinename user. This user must have read access to the directory. You can adjust permissions in the Security/permissions tab of the directory's properties.
[edit] First Connection Configuration
Here we learn how to prepare and use the configuration file which contains the parameters to connect to MySQL and which can be customized as per our requirements. In this tutorial, we will concentrate on the parameters that deal with connection and authentication.
Note: Before configuring, we can rename the directory phpMyAdmin-2.8.2 to something easier to remember, like phpMyAdmin, phpmyadmin, admin, or whatever. This way, we or our users will be able to visit an easily remembered URL to start phpMyAdmin. We can also use a symbolic link if our server supports this feature.
[edit] Configuration Principles
In versions before 2.8.0, a generic config.inc.php file was included in the downloaded kit. Since 2.8.0, this file is no longer present in the directory structure. Note that phpMyAdmin looks for this file in the first level directory the same one where index.php is located.
Without a configuration file, phpMyAdmin uses its default settings as defined in libraries/config.default.php and tries to connect to a MySQL server on localhost, the same machine where the web server is running, with user root and password NO. This is the default setup produced by most MySQL installation procedures, even though it is not really secure. However, if our freshly installed MySQL server still has the default root account, we will be able to login easily and see a warning given by phpMyAdmin about such lack of security.
We can verify this fact by opening our browser and visiting http://www.mydomain.com/phpmyadmin substituting the proper values for the domain part and the directory part. If we see phpMyAdmin's home page it means the MySQL server is still configured by default.
If it's not the case, we should see these messages in the default language defined in our browser:
Error. MySQL said: Access denied for 'root'@'@localhost' (password: NO) Probably reason of this is, that you did not create configuration file.
At this point we have two choices:
- se the web-based setup script to generate a
config.inc.phpfile - anually create a
config.inc.phpfile
These options are presented in the following sections. We should note that, even if we use the web-based setup script, we should familiarize ourselves with the config.inc.php file format, because the setup script does not cover all the possible configuration options.
[edit] Web-Based Setup Script
The web-based setup mechanism is strongly recommended in order to avoid syntax errors that could result from the manual creation of the configuration file. Indeed, since this file must respect PHP's syntax, it's common for new users to experience problems in this phase of the installation.
Note: A warning is in order here: even if phpMyAdmin contains translations for the user interface, the current version does not have a translation for the setup itself.
To access the setup script, we can click on the link available in the message we received previously, which points to http://www.mydomain.com/phpmyadmin/scripts/setup.php. Here is what appears on the initial execution:
There are two warnings here. We will first deal with the second one Not secure connection. This message appears if we are accessing the web server over HTTP, an insecure protocol. Since we are possibly going to input confidential information like the user name and password in the setup phase, it's recommended to communicate over HTTPS at least for this phase. HTTPS uses SSL(Secure Socket Layer) to encrypt the communication and make eavesdropping impossible on the line. If our web server supports HTTPS, we can simply follow the proposed link which will restart the setup process, this time over HTTPS. Our example supposes we do so.
The first warning tells us that phpMyAdmin did not find a writable directory with the name config and this is normal since it was not present in the downloaded kit. Since the directory is not yet there, we observe that the Save and Load buttons in the interface are grey. In this config directory we can:
- Have the working version of the configuration file during the setup process
- Load a previously prepared
config.inc.phpfile
It's not absolutely necessary that we create this configuration directory, since we could download to our client machine the config.inc.php file produced by the setup procedure, then upload it to phpMyAdmin in the first-level directory via the same mechanism (say FTP) that we used to upload phpMyAdmin itself. However, we'll nonetheless create this directory.
The principle here is that the web server must be able to write to this directory. There is more than one way to achieve this. Here is one that would work on a Linux server, assuming that the installation is done by user marc and that the web server is not running under the group users:
cd phpMyAdmin mkdir config chown marc.users config chmod o+rwx config
Having done that, we refresh the page in our browser and we see:
A single copy of phpMyAdmin can be used to manage many MySQL servers. We will now define parameters describing our first MySQL server. In the Servers section, we click Add and the following screen is shown:
A complete explanation of these parameters can be found in the following sections of this tutorial. For now, we notice that the setup process has detected that PHP supports the mysqli extension, so this is the one that is chosen by default. This extension is the programming library used by PHP to communicate with MySQL.
Let's enter the minimum parameters required for a first connection. We assume that our MySQL server is located on localhost, so we keep this value and all the proposed values intact, except for the following:
- User for config auth: we enter our user name, marc
- Password for config auth: we enter our password, bingo
We then click Add, and we get the New server added message. Now our setup process knows about one MySQL server, and there are sections of the interface that enable us to Edit or Delete these server settings:
We can have a look at the generated configuration lines by using the Configuration/Display button then we can analyze these parameters using the explanations given in The config.inc.php File section later in this tutorial.
At this point, this configuration is still just in memory, so we need to save it. This is done via the Configuration/Save button. It saves config.inc.php in the special config directory we created previously. This is a directory strictly used for configuration purposes.
The last step is to move config.inc.php from the config directory to the top-level directory the one that contains index.php. This can be done via FTP or by commands such as
cd config mv config.inc.php ..
Note: As a security measure, it's recommended to change the permission on the config directory for example, with the chmod o-rwx config command. This is to block any non-authorized writing in this directory.
Other configuration parameters can be set with these web-based setup pages. To do so, we would have to:
1. Enable read and write access to the config directory
2. Copy the config.inc.php there
3. Start the web-based setup tool
[edit] Manual Creation of config.inc.php
We can create this text file from scratch using our favorite text editor. The exact procedure depends upon which client operating system we are using; we can refer to the Tips for Editing config.inc.php on a Windows Client section for further information.
The default value of all the possible configuration parameters that can be located inside config.inc.php is defined in libraries/config.default.php. We can take a look at this file to see the syntax used and further comments about configuration. See the important note about this file in the Upgrading phpMyAdmin section of this tutorial.
[edit] Tips for Editing config.inc.php on a Windows Client
This file contains special characters (Unix-style end of lines), so we must open it with a text editor that understands this format. If we use the wrong text editor, this file will be displayed with very long lines.
The best choice is a standard PHP editor. Another choice would be WordPad, MetaPad or UltraEdit, but we should be careful not to add any characters (even blank lines) at the beginning or end of the file. This would disturb the execution of phpMyAdmin and generate the Cannot send header output... error message.
Each time the config.inc.php file is modified, it will have to be transferred again to our web space. This transfer might have to be done explicitly with a specific transfer program, or it might be done by a feature of an editor like HomeSite, Komodo, or PHPEdit, which can save directly via FTP.
[edit] The config.inc.php File
This file contains valid PHP code, defining the majority of the parameters (expressed by PHP variables) that we can change to tune phpMyAdmin to our own needs. There are also normal PHP comments in it, and we can comment our changes.
Note: Be careful not to add any blank line at the beginning or end of the file; this would hamper the execution of phpMyAdmin.
Starting with phpMyAdmin 2.6.0, there is another configuration file: layout.inc.php. As this version offers theme management, this file contains the theme-specific colors and settings. There is one layout.inc.php per theme, located in themes/themename, for example, themes/original.
[edit] PmaAbsoluteUri
The first parameter to have a look at is $cfg['PmaAbsoluteUri'] = ;
In most cases we can leave this one empty, as phpMyAdmin tries to auto-detect the correct value. If we browse a table later and then edit a row and click Save, we will receive an error message from our browser for example, This document does not exist. This means that the absolute URI that phpMyAdmin built in order to reach the intended page was wrong, indicating that we must manually put the correct value in this parameter.
For example, we would change it to:
$cfg['PmaAbsoluteUri'] = 'http://www.mydomain.com/phpMyAdmin_2.8.2/';
[edit] Server-Specific Sections
The next section of the file contains server-specific configurations, each starting with:
$i++; $cfg['Servers'][$i]['host'] = ;
If we examine only the normal server parameters, we see a section like the following for each server:
$i++; $cfg['Servers'][$i]['host'] = ; $cfg['Servers'][$i]['port'] = ; $cfg['Servers'][$i]['socket'] = ; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['compress'] = FALSE; $cfg['Servers'][$i]['controluser'] = ; $cfg['Servers'][$i]['controlpass'] = ; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = ; $cfg['Servers'][$i]['only_db'] = ; $cfg['Servers'][$i]['hide_db'] = ; $cfg['Servers'][$i]['verbose'] = ;
In this section, we have to enter in $cfg['Servers'][$i]['host'] the hostname or IP address of the MySQL server for example, mysql.mydomain.com or localhost. If this server is running on a non-standard port or socket, we fill in the correct values in $cfg['Servers'][$i]['port'] or $cfg['Servers'][$i]['socket']. See the section on connect_type for more details about sockets.
The displayed server name inside phpMyAdmin's interface will be the one entered in 'host' (unless we enter a non-blank value in the following parameter). For example:
$cfg['Servers'][$i]['verbose'] = 'Test server';
This feature can thus be used to hide the real server hostname as seen by the users.
[edit] extension
The traditional mechanism by which PHP can communicate with a MySQL server, as available in PHP before version 5, is the mysql extension. This extension is still available in PHP 5, but a new one called mysqli has been developed and should be preferred for PHP 5, because of its improved performance and its support of the full functionality of MySQL family 4.1.x. This extension is designed to work with MySQL version 4.1.3 and higher.
In phpMyAdmin version 2.6.0, a new library has been implemented, making possible the use of both extensions choosing either for a particular server. We indicate the extension we want to use in $cfg['Servers'][$i]['extension'].
[edit] PersistentConnections
Another important parameter (which is not server-specific but applies to all server definitions) is $cfg['PersistentConnections']. For all servers to which we connect using the mysql extension, this parameter, when set to TRUE, instructs PHP to keep the connection to the MySQL server open. This speeds up the interaction between PHP and MySQL. However, it is set to FALSE by default in config.inc.php, because persistent connections are often a cause of resource depletion on servers MySQL refusing new connections. For this reason, the option is not even available for the mysqli extension, so setting it to TRUE here would have no effect if you are connecting with this extension.
[edit] connect_type, socket and port
Both the mysql and mysqli extensions automatically use a socket to connect to MySQL if the server is on localhost. Consider this configuration:
$cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['port'] = ; $cfg['Servers'][$i]['socket'] = ; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysql';
The default value for connect_type is tcp. However, the extension will use a socket because it concludes that this is more efficient as the host is localhost, so in this case, we can use tcp or socket as the connect_type. To force a real tcp connection, we can specify 127.0.0.1 instead of localhost in the host parameter. Because the socket parameter is empty, the extension will try the default socket. If this default socket, as defined in php.ini, does not correspond to the real socket assigned to the MySQL server, we have to put the socket name (for example, /tmp/mysql.sock) in $cfg['Servers'][$i]['socket'].
If the hostname is not localhost, a tcp connection will occur here, on the special port 3307. However, leaving the port value empty would use the default 3306 port:
$cfg['Servers'][$i]['host'] = 'mysql.domain.com'; $cfg['Servers'][$i]['port'] = '3307'; $cfg['Servers'][$i]['socket'] = ; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysql';
[edit] compress Configuration
Starting with PHP 4.3.0 and MySQL 3.23.49, the protocol used to communicate between PHP and MySQL allows a compressed mode. Using this mode provides better efficiency. To take advantage of this mode, simply specify:
$cfg['Servers'][$i]['compress'] = TRUE;
[edit] Authentication Type: config
For our first test, we will use the config authentication type, which is easy to understand. However, in the Multi-User Installation section, we will see more powerful and versatile ways of authenticating.
Although it seems that we are logging in to phpMyAdmin, we are not! The authentication system is a function of the MySQL server. We are merely using phpMyAdmin (which is running on the web server) as an interface that sends our user and password information to the MySQL server. Strictly speaking, we do not log in to phpMyAdmin but through phpMyAdmin.
Note: Using the config authentication type leaves our phpMyAdmin open to intrusion, unless we protect it as explained in the Security section of this tutorial.
Here we enter our username and password for this MySQL server:
$cfg['Servers'][$i]['user'] = 'marc'; $cfg['Servers'][$i]['password'] = 'bingo';
We can then save the changes we made in config.inc.php.
[edit] Testing the First Connection
Now it's time to start phpMyAdmin and try connecting for the first time. This will test the following:
- he values we entered in the config file or on the web-based setup
- he setup of the PHP component inside the web server if we did a manual configuration
- ommunication between web and MySQL servers
Due to a problem in phpMyAdmin 2.8.0 to 2.8.2, for these versions we should close all windows of our browser at this point.
We start our browser and point it to the directory where we installed phpMyAdmin, as in http://www.mydomain.com/phpMyAdmin. If this does not work, we try http://www.mydomain.com/phpMyAdmin/index.php. (This would mean that our web server is not configured to interpret index.php as the default starting document.)
We should now see phpMyAdmin's home page.
[edit] Multi-Server Configuration
The config.inc.php file contains at least one server-specific section but we can add more, enabling a single copy of phpMyAdmin to manage many servers. Let us see how to configure more servers.
[edit] Servers Defined in the Configuration File
In the server-specific sections of the config.inc.php file, we see lines referring to $cfg['Servers'][$i] for each server. Here, the variable $i is used so that one can easily cut and paste whole sections of the configuration file to configure more servers. While copying such sections, we should take care that the $i++; instruction that precedes each section and is crucial to delimit the server sections is also copied.
Then, at the end of the sections, the following line controls what happens at startup:
$cfg['ServerDefault'] = 1;
The default value, 1, means that phpMyAdmin will connect by itself to the first server defined or present this server choice by default when using advanced authentication more on this later in this article. We can specify any number, for the corresponding server-specific section. We can also enter the value 0, signifying no default server, in which case phpMyAdmin will present a server choice:
[edit] Arbitrary Server
Another mechanism can be used if we want to be able to connect to an undefined MySQL server. First, we have to set the following parameter:
$cfg['AllowArbitraryServer'] = TRUE;
Then, we need to use the cookie authentication type, explained in the next section. We will be able to choose the server and enter a username and a password.
Note: This mechanism should probably be used in conjunction with a reinforced security mechanism (see the Security section), because any MySQL server accessible from our web server could be connected to.
As seen here, we still can choose one of the defined servers in Server Choice, but we can enter an arbitrary server name, a username, and a password:
[edit] Advanced Authentication
We might want to allow a single copy of phpMyAdmin to be used by a group of persons, each having their own MySQL username and password and seeing only the databases they have rights to. Or we might prefer to avoid having our username and password in clear text in config.inc.php.
[edit] Authentication Types Offered
Instead of relying on a username/password pair stored in config.inc.php, phpMyAdmin will communicate with the browser and get authentication data from it. This enables true login for all users defined in a specific MySQL server, without having to define them in the configuration file. There are two modes offered that allow a controlled login to MySQL via phpMyAdmin: http and cookie. We will have to choose the one that suits our specific situation and environment (more on this in a moment). Both modes require that we first define a control user.
[edit] The Control User
To be able to use authentication types for every kind of MySQL user (in MySQL, user privileges may be expressed in various ways), we should define a control user and password in the server-specific section of a server. If we do not define one, users who have been defined in MySQL with a syntax of 'user'@'hostname' or 'user'@'%' will be able to function normally with phpMyAdmin's features like creating a database, and others won't.
The control user is a special user (the usual name we choose for it is pma, a familiar abbreviation for phpMyAdmin) who has the rights to read some fields in the special mysql database (which contains all the user definitions). phpMyAdmin sends queries with this special control user only for the specific needs of authentication, and not for normal operation. The commands to create the control user are available in phpMyAdmin's Documentation.html and may vary from version to version. This documentation contains the most current commands.
There is another reason to define a control user: to be able to use the advanced relational features of phpMyAdmin.
When our control user is defined, we fill in the parameters as in the following example:
$cfg['Servers'][$i]['controluser'] = 'pma'; $cfg['Servers'][$i]['controlpass'] = 'bingo';
Note: I use the bingo password when I teach phpMyAdmin; it is recommended to avoid using the same password for your own installation.
[edit] HTTP Authentication
This mode, http, is the traditional mode offered in HTTP, in which the browser asks for the username and password, sends them to phpMyAdmin, and keeps sending them until all the browser's windows are closed.
To enable this mode, we simply use the following line:
$cfg['Servers'][$i]['auth_type'] = 'http';
This mode has some limitations:
- PHP, depending on the version, might not support HTTP authentication. It works when PHP is running as a module under Apache; for other cases, we should consult the PHP documentation for our version.
- If we want to protect phpMyAdmin's directory with a
.htaccessfile (see the Security section in this article), this will interfere with HTTP authentication type; we cannot use both.
There is not a true logout; we will have to close all browser windows to be able to login again with the same username. Even considering those limitations, this mode may be a valuable choice for the following reasons:
- Home browsers (like Mozilla) can store the authentication information in an encrypted form.
- It is a bit faster than cookie processing.
[edit] Cookie Authentication
The cookie authentication mode is superior to http in terms of the functionalities offered. It offers true login and logout, and can be used with PHP running on any kind of web server. It presents a login panel (see the following figure) from within phpMyAdmin. This can be customized since we have the application source code. However, as you may have guessed, for cookie authentication, the browser must accept cookies coming from the web server but this is true for all authentication modes starting with phpMyAdmin 2.8.0:
This mode stores the username typed in the login screen into a permanent cookie in our browser. The password is stored as a temporary cookie. In a multi-server configuration, the username/password pair corresponding to each server is stored separately. To protect the username/password secrecy against some attack methods that target cookie content, they are encrypted using the Blowfish algorithm. So, to use this mode, we have to define (once) in config.inc.php a secret password that will be used to securely encrypt all passwords stored as cookies from this phpMyAdmin installation.
This is done by putting a secret password here:
$cfg['blowfish_secret'] = 'SantaLivesInCanada';
Then, for each server-specific section, use the following:
$cfg['Servers'][$i]['auth_type'] = 'cookie';
The next time we start phpMyAdmin, we will see the login panel.
By default, phpMyAdmin displays (in the login panel) the last username for which a successful login was achieved for this particular server, as retrieved from the permanent cookie. If this behavior is not acceptable (if we would prefer that someone else who logs in from the same workstation should not see the previous username), we can set the following parameter to FALSE:
$cfg['LoginCookieRecall'] = FALSE;
A security feature was added in phpMyAdmin 2.6.0: a time limit for the validity of the entered password. This feature helps to protect the working session. After a successful login, our password is stored in a cookie, along with a timer. Every action in phpMyAdmin resets the timer. If we stay inactive a certain number of seconds, as defined in $cfg['LoginCookieValidity'], we are disconnected and have to login again. The default is 1800 seconds.
Note: The Blowfish algorithm used to protect the username and password requires many computations. To achieve the best possible speed, the PHP's mcrypt extension and its accompanying library must be installed on our web server. Otherwise, phpMyAdmin relies on an internally coded algorithm which works but causes delays of several seconds on almost every operation done from phpMyAdmin! This is because the username and password information must be decoded on every mouse click to be able to connect to MySQL.
[edit] Security
Security can be examined at various levels:
- Directory-level protection for phpMyAdmin
- IP-based access control
- The databases that a legitimate user can see
- In-transit data protection
[edit] Directory-Level Protection
Suppose an unauthorized person is trying to execute our copy of phpMyAdmin. If we used the simple config authentication type, anyone knowing the URL of our phpMyAdmin will have the same effective rights on our data as us. In this case, we should use the directory-protection mechanism offered by our web server (for example, htaccess) to add a level of protection.
If we chose to use http or cookie authentication types, our data would be safe enough, but we should take the normal precautions with our password (including its periodic change).
The directory where phpMyAdmin is installed contains sensitive data. Not only the configuration file but also ultimately all scripts stored there must be protected from alteration. We should ensure that apart from us, only the web server effective user has read access to the files contained in this directory and that only we can write to them.
Note: phpMyAdmin's scripts never have to modify anything inside this directory, except when we use the Save export file to server feature.
Another possible attack is from other developers having an account on the same web server as us. In this kind of attack, someone can try to open our config.inc.php file. Since this file is readable by the web server, someone could try to include our file from their PHP scripts. This is why it is recommended to use PHP's open_basedir feature, possibly applying it to all directories from which such attacks could originate.
[edit] IP-Based Access Control
An additional level of protection can be added, this time verifying the Internet Protocol (IP) address of the machine from which the request to use phpMyAdmin is received.
To achieve this level of protection, we construct rules allowing or denying access, and specify the order in which these rules will be applied.
[edit] Rules
The format of a rule is:
<'allow' | 'deny'> <username> [from] <source>
from being optional. Here are some examples:
allow Bob from 1.2.3.4
User Bob is allowed access from IP address 1.2.3.4.
allow Bob from 1.2.3/24
User Bob is allowed from any address matching the network 1.2.3 (this is CIDR IP matching).
deny Alice from 4.5/16
User Alice cannot access when located on network 4.5.
allow Melanie from all
User Melanie can login from anywhere.
allow Julie from localhost
Equivalent to 127.0.0.1
deny % from all
all can be used as an equivalent to 0.0.0.0/0, meaning any host. Here, the % sign means any user.
The source part can also be formed with the special names localnetA, localnetB, or localnetC. These represent the complete class A, B, or C network in which the web server is located. Note that phpMyAdmin relies on the $_SERVER["SERVER_ADDR"] PHP parameter for this feature. Usually we will have several rules. Let's say we wish to have the two rules that follow:
allow Marc from 45.34.23.12 allow Melanie from all
We have to put them in config.inc.php (in the related server-specific section) as follows:
$cfg['Servers'][$i]['AllowDeny']['rules'] =
array('allow Marc from 45.34.23.12',
'allow Melanie from all');
When defining a single rule or multiple rules, a PHP array is used, and we must follow its syntax enclosing each complete rule within single quotes and separating each rule from the next with a comma. Thus, if we have only one rule, we must still use an array to specify it like this:
$cfg['Servers'][$i]['AllowDeny']['rules'] =
array('allow Marc from 45.34.23.12');
The next parameter explains the order in which rules are interpreted.
[edit] Order of Interpretation for Rules
By default, this parameter is empty:
$cfg['Servers'][$i]['AllowDeny']['order'] = ;
This means that no IP-based verification is made.
Suppose we want to allow access by default, denying access only to some username/IP pairs. We should use:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
In this case, all deny rules will be applied first, followed by allow rules. If a case is not mentioned in the rules, access is granted. Being more restrictive, we'd want to deny by default. We can use:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
This time, all allow rules are applied first, followed by deny rules. If a case is not mentioned in the rules, access is denied.
The third (and most restrictive) way of specifying rules order is:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
deny rules are applied before allow rules, but to be accepted, a username/IP address must be listed in the allow rules and not in the deny rules.
[edit] Simplified Rule for Root Access
Since the root user is present in almost all MySQL installations, it's often the target of attacks. Starting with phpMyAdmin 2.6.1, a parameter permits us to easily block all logins of the MySQL's root account, using the following:
$cfg['Servers'][$i]['AllowRoot'] = FALSE;
[edit] Restricting the List of Databases
Sometimes it is useful to avoid showing in the left panel all the databases to which a user has access. phpMyAdmin offers two ways of restricting: only_db and hide_db.
To specify the list of what can be seen, the only_db parameter is used. It may contain a database name or a list of database names. Only these databases will be seen in the left panel:
$cfg['Servers'][$i]['only_db'] = 'payroll';
$cfg['Servers'][$i]['only_db'] = array('payroll', 'hr');
The database names can contain MySQL wildcard characters like _ and %.
We can also indicate which database names must be hidden with the hide_db parameter. It contains a regular expression (http://en.wikipedia.org/wiki/Regular_expression) representing what to exclude. If we do not want users to see all databases whose names begin with 'secret' we would use
$cfg['Servers'][$i]['hide_db'] = '^secret';
These parameters apply to all users for this server-specific configuration.
Note: These mechanisms do not replace the MySQL privilege system. Users' rights on other databases still apply, but they cannot use phpMyAdmin's left panel to navigate to their other databases or tables.
[edit] Protecting In-Transit Data
HTTP is not inherently immune to network sniffing (grabbing sensitive data off the wire), so if we want to protect not only our username and password but all the data that travels between our web server and browser, we have to use HTTPS.
To do so, assuming that our web server supports HTTPS, we just have to start phpMyAdmin by putting https instead of http in the URL as follows:
https://www.mydomain.com/phpMyAdmin
If we are using PmaAbsoluteUri auto-detection:
$cfg['PmaAbsoluteUri'] = ;
phpMyAdmin will see that we are using HTTPS in the URL and react accordingly. If not, we must put the https part in this parameter as follows:
$cfg['PmaAbsoluteUri'] = 'https://www.mydomain.com/phpMyAdmin';
Also, since phpMyAdmin 2.7.0, we can automatically switch users to an HTTPS connection with this setting:
$cfg['ForceSSL'] = TRUE;
[edit] Upgrading phpMyAdmin
Normally, upgrading is just a matter of installing the newer version into a separate directory and copying the previous version's config.inc.php to the new directory. If the previous version is phpMyAdmin 2.3.0 or older, we cannot copy its config.inc.php to the new version because the file format has changed too much.
Note: An upgrade or first-installation path that should not be taken is to copy libraries/config.default.php to config.inc.php, since this default configuration file is version-specific and is not guaranteed to work for future versions.
New parameters appear from version to version. They are documented in Documentation.html and defined in libraries/config.default.php. If a configuration parameter is not present in config.inc.php, its value from libraries/config.default.php will be used; so we do not have to include it into config.inc.php if the default value suits us.
Special care must be taken to propagate the changes we might have made to the layout.inc.php files, depending on the themes used. We may even have to copy our custom themes subdirectories if we added our own themes to the structure.
[edit] Summary
In this tutorial we took a look at the common reasons for installing phpMyAdmin, the steps for downloading it from the main site, basic configuration, and uploading it to our web server. We learned how to use a single copy of phpMyAdmin to manage multiple servers and also the usage of authentication types to fulfill the needs of a users' group while protecting authentication credentials. Securing our phpMyAdmin installation and upgrading phpMyAdmin were also covered.
[edit] Source
The source of this content is Chapter 2: Installing phpMyAdmin of Mastering phpMyAdmin 2.8 for Effective MySQL Management by Marc Delisle(Packt Publishing, 2007).
