Adminer - Database management in a single PHP file

Genesis

Administrator
Staff member
Nope, but I'm very happy to check out an alternative, particularly if it is as it claims it is, i.e. got a simpler interface. Phpmyadmin has a dreadful interface. I'm used to it now, but there is plenty of room for improvement.
 

riddict

New member
Just heard about it, but this is smartphone era
beside phpMyadmin i also use mysql client on my android smartphone. Very handy to manage your sql database, without using browser and load slow web admin panel.
 
I find PHPMyAdmin to be very simple and easy to use.

Does anyone know if this is a stand alone set up or would you need phpmyadmin installed already on your server?
 

GigaGreg

Moderator
Staff member
strokerace said:
Does anyone know if this is a stand alone set up or would you need phpmyadmin installed already on your server?

Yes, it is a stand-alone version, it was forked from PHPMyAdmin and tweaked to make it simpler and easier to use. That's what you can read on their website in a nut-shell.
 

MichaelW

New member
I prefer adminer because when I using phpmyadmin the amount of brute force attacks were astounding, when adminer you can place the one file anywhere you like!
 

Genesis

Administrator
Staff member
strokerace said:
binil said:
strokerace said:
I find PHPMyAdmin to be very simple and easy to use.
I have tried all of them, and keep going back to phpmyadmin as its simple, easy to use especially for a n00b
I can't agree with this statement about phpmyadmin. When I was a n00b and started to get into phpmyadmin in a more meaningful way, I had to Google about every aspect of it before I could use it. I found myself working through a great number of YouTube tutorials - which there are almost hundreds out there for the simple reason that it is not user-friendly. Once one knows where everything is, and how to manage it, then it gets easier. I've cursed it quite a number of times however while I was learning, and I'm still learning. My last learning curve has been when I tried to add it to VestaCP VPS Control Panel. My first experience was horrible, however good, as that really brought me up close and personal with the workings of phpmyadmin. If one checks the VestaCP Forum it is FULL of n00bs, asking all kinds of questions about phpmyadmin - obviously struggling.
 
its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
 

Genesis

Administrator
Staff member
strokerace said:
its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
Well seeing you're not a n00b, I can imagine you've got it sorted out. I just find in general it's not instinctive for users. One has to look for a step by step tutorial, or clarification of things. Like for the longest time in cPanel, and I think it's still the case, once one is in phpmyadmin, there is no log out button. cPanel also doesn't ask for a login and password. One just gets in it, without having to log in. Which I think is a security omission. Not all panels however allow one to get in without logging in from the panel. Webuzo panel asks for a login and password, and phpmyadmin can be logged out of at the end of the session.
 
Genesis said:
strokerace said:
its interesting that you say that. I started with PHPmyadmin since my first server. Ya, it was a bit confusing as I had never had a server or knew anything about it. I never watched any vids as I think it was before Youtube came out. So everything was text documents. Maybe that is why it was easier. I have found some of those vids there very confusing and don't tell you the right information. After I figured out how to create a database and how to execute sql, the rest I learnt on my own by exploring it.

I set up a Panel on an server for a friend, it was the centos panel. It was even more confusing and difficult to figure out then phpmyadmin was. I have some experience with Panels, so If I found it confusing, I can imagine that a n00b would too.
Well seeing you're not a n00b, I can imagine you've got it sorted out. I just find in general it's not instinctive for users. One has to look for a step by step tutorial, or clarification of things. Like for the longest time in cPanel, and I think it's still the case, once one is in phpmyadmin, there is no log out button. cPanel also doesn't ask for a login and password. One just gets in it, without having to log in. Which I think is a security omission. Not all panels however allow one to get in without logging in from the panel. Webuzo panel asks for a login and password, and phpmyadmin can be logged out of at the end of the session.
 

Genesis

Administrator
Staff member
@"strokerace" Think you misunderstood. Of course one needs a login to get into cPanel. That goes without saying. But I'm saying that even with the login into cPanel, ideally for security there should be a separate login for phpmyadmin when one clicks on it. Also, once one has been in phpmyadmin, then there should be a logout of phpmyadmin that is in addition to the logout for cPanel.

I don't think people realize how vulnerable for hacking phpmyadmin is. Particularly considering that all of the Website and access to the Admin of the Website info is contained in the database that is available through phpmyadmin. A clever hacker can basically access or take over the whole Website by just getting access to the phpmyadmin. That is why people who are really savvy about security (I don't say I am as I do use phpmyadmin with all of my websites), but your real command line Geeks would never use phpmyadmin through a panel of any kind.
 

riddict

New member
Finally, I figured how to use adminer. I install PHP and MySQL server on my android. But I can't find a good sql manager for my android. And here comes adminer. very handy.
 
Genesis said:
@"strokerace" Think you misunderstood. Of course one needs a login to get into cPanel. That goes without saying. But I'm saying that even with the login into cPanel, ideally for security there should be a separate login for phpmyadmin when one clicks on it. Also, once one has been in phpmyadmin, then there should be a logout of phpmyadmin that is in addition to the logout for cPanel.

I don't think people realize how vulnerable for hacking phpmyadmin is. Particularly considering that all of the Website and access to the Admin of the Website info is contained in the database that is available through phpmyadmin. A clever hacker can basically access or take over the whole Website by just getting access to the phpmyadmin. That is why people who are really savvy about security (I don't say I am as I do use phpmyadmin with all of my websites), but your real command line Geeks would never use phpmyadmin through a panel of any kind.

That is not true. PHPmyadmin is just a gui. Don't think PHPmyadmin is vulnerable to hacking. In order for them to access your PHPmyadmin, they would need your Cpanel login. I checked it last night. I logged out of My panel with the PHPmyadmin window open, I tried to access a few things and it asked me to log back into Cpanel. That is one password that no one can hack unless they use a keylogger or installed software on the server to find Cpanel login. Yes, there is software to do that. So there is no vulnerablities in PHPmyadmin.

For an example, if your site has a SQL vulnerablity, the only thing they would get is your database name and password for that database. With that, at most they can only gain admin access to your web pages that use that info. In short, they could lock you out of your website until you log into your Cpanel and remove them from the database.
 

Genesis

Administrator
Staff member
strokerace said:
That is not true. PHPmyadmin is just a gui. Don't think PHPmyadmin is vulnerable to hacking. In order for them to access your PHPmyadmin, they would need your Cpanel login. I checked it last night. I logged out of My panel with the PHPmyadmin window open, I tried to access a few things and it asked me to log back into Cpanel. That is one password that no one can hack unless they use a keylogger or installed software on the server to find Cpanel login. Yes, there is software to do that. So there is no vulnerablities in PHPmyadmin.

For an example, if your site has a SQL vulnerablity, the only thing they would get is your database name and password for that database. With that, at most they can only gain admin access to your web pages that use that info. In short, they could lock you out of your website until you log into your Cpanel and remove them from the database.
I didn't say cPanel was insecure Strokerace. I said that ideally one needs an ADDED layer of security for phpmyadmin. Particularly considering that phpmyadmin contains almost all of the Website admin info in it. Like all of the access information. One should be prompted for a separate password to get into phpmyadmin inside cpanel, and be able to log out properly in addition to logging out of cpanel.

For me the equivalent is phpmyadmin being the "safe" that you put your most valuable items in. It's in a house with double locks on the door (cPanel). You want everything to be as safe as you can, but your most valuable items you want double security for.

I disagree that cPanel is completely safe - particularly in a shared hosting environment. We had a situation at another Server a few years ago when a hacker managed to hack a shared hosting Website as an act of vengeance (the target had copied a hacker forum theme), and as a bonus he managed to hack himself into cpanel, probably not even planning to do so, but managed to do it. Once in cpanel he can get into any phpmyadmin he wants to. Given that there isn't a second password he has to worry about. He didn't get into the other Websites thankfully (an ethical hacker :)), but he seriously damaged some of the functions in cpanel that took a long time to fix.

I also disagree with you that the hacker would only get the passwords. With WordPress definitely all of the content, the pages and posts are contained inside the database. Only content that is outside the database are the images and some of the functions. If the hacker would have chosen to get into phpmyadmin of any given Website he could have seriously wrecked it, or taken it over. He doesn't only get access to admin info, but in the case of WordPress for certain, he gets almost all of the content as well. Only content he doesn't get are the images and functions.
 
Cookie authentication mode
  • You can use this method as a replacement for the HTTPIIS).
  • Obviously, the user must enable cookies in the browser, but this is now a requirement for all authentication modes.
  • With this mode, the user can truly log out of phpMyAdmin and log in back with the same username.
  • If you want to log in to arbitrary server see $cfg['AllowArbitraryServer'] directive.
  • As mentioned in the Requirements section, having the mcrypt extension will speed up access considerably, but is not required.
Signon authentication mode
  • This mode is a convenient way of using credentials from another application to authenticate to phpMyAdmin.
  • The other application has to store login information into session data.
See also$cfg['Servers'][$i]['auth_type'], $cfg['Servers'][$i]['SignonSession'], $cfg['Servers'][$i]['SignonScript'], $cfg['Servers'][$i]['SignonURL']Config authentication mode
http://phpmyadmin.net/auth_key since this link provides funding for phpMyAdmin.See also$cfg['Servers'][$i]['auth_swekey_config']Securing your phpMyAdmin installationThe phpMyAdmin team tries hardly to make the application secure, however there are always ways to make your installation more secure:
  • remove setup directory from phpMyAdmin, you will probably not use it after initial setup
  • prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
  • properly choose authentication method - Cookie authentication mode$cfg['Servers'][$i]['AllowDeny']['rules'] to limit them
  • consider hiding phpMyAdmin behind authentication proxy, so that MySQL credentials are not all users need to login
 
Also, as for wordpress, if I get the login for the admin panel, I don't get access to the DB. If the DB is vulnerable to sql injection, I can create a new admin user and password and give me access to the admin panel. I don't think the admin panel of wordpress gives me access to the DB though. It does give me access to any plugin etc to the site. So at most, I could alter those.

But, if I can use sql injection on the DB, I can dump the whole DB. I also use a program called Acunetix Web Vulnerbility scanner to scan any website. It scans for 1000's of vulnerablities on the website and tells you how sevre they are. Its a paid program that is well worth the money if you are into network security. 9 times out of 10, you don't need to know much about hacking to get into a site if you use this program on a wordpress site. Some of the built in features that user use, can cause their sites to get hack without a password or sql injection. I found one site did a complete back up, include SQL DB and was accessable from the web browser. All a user had to know was where the back up program would store the back up files.
Inside of it, it gave me the SQL user and password. All I had to do with use a program to run the SQL and create myself an admin user account. Or I could have used that info to download the latest DB info, and then created a clone version on the site on another server.

Remember, people are so gung ho about SEO, that I could have set up some SEO stuff and everyone who be directed to the site and they would think it was the real one. Or you can go one step further and see if you can hack the DNS server and redirect the domain to the newly created site.

So, does it really matter if PHPmyadmin has a login/logout? No, it doesn't change anything in the scope of security. What matters the most, is the server admin keeps the server up to date, patches installed, watches Oday sites. Then the website owner has to monitor his own files and check for updates, secuirty issues and make sure he logs in and out properly every time.

When I had my Dev site, I had people checking the code for bugs, and security issues and repairing them. What may be ok today, may not be tomorrow. I have even given some hackers my site addy and told them to hack it. This way I knew what to fix. Seeing it was my own code, no one other then me was doing the patching. And my skill level for hacking is not even worth mentioning as its very very low. So I don't know all the tricks or tools that a hacker would use, thus the reason I use the vulnerablity scanner to help me with security risk. It will also tell you that some may be false positives, but still worth checking into just the same.

I can tell you there is not enough time in a day to keep up. Your head will explode before you even get into 1/4 of the stuff that is out there.

I know this is long winded, but its why I hardly use other peoples programs any more. They can't be trusted, they get lazy, sloppy with their code and no one double checks their work anymore.
 

fhaas

New member
Hello,

I took most of my projects this adminscript. Sometimes i loved it and sometimes not.

When u take both for a look, then u can see that phpmyadmin ist more administrtative-friendly than the other but u can take copy it to web space use it and take it off without beeing on ssh session thats the greatest thing on it