Developers

developers@phpmyadmin.net

5 participants
7032 discussions

Re: [Phpmyadmin-devel] Bug when inserting ++

by Loïc

Hi Tobias! Well I'm afraid I have to tell you this bug has already been reported and fixed a long time ago in the cvs tree ;) Anyway thanks for the report. BTW there are many problems with links in the phpWizard forum and then most of the users post now at least twice their messages in it. Not so fine... Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

Re: [Phpmyadmin-devel] Two problems...

by Loïc

Hi again! >How about allowing an environment variable such as >PMAMULTICONFIG that specifies what config_*.inc.php3 file >should be used? That way multiple config files can be supported >under the same codebase and the config file could be specified >with SetEnv or in the Web Properties of whatnot. Most of the time the "SetEnv" function is disabled on shared servers, isn't it? Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

[Phpmyadmin-devel] Bug when inserting ++

by Tobias Ratschiller

Hello, there is a bug in the current release of phpMyAdmin (2.2.0-final) when inserting a string containing "++". The "++" will get stripped out. -Tobias

22 years, 11 months

Re: [Phpmyadmin-devel] Two problems...

by Loïc

>I mean the SetEnv Apache directive, not the putenv() PHP function. Ouch, sorry... as usually I misread the message :o But I'm not sure many ISP allow their user to play with such a directive... Moreover I'm not sure "all" other server soft. know this directive. Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

Re: [Phpmyadmin-devel] Two problems...

by Loïc

Hi Geert! To get the available databases for an user from MySQL you may use the "SHOW GRANTS" statement. But: 1) it's available since 3.23 only (implementation before this release is buggy) 2) this statement seems not to return the dbs avilable to the "anonymous" user while each user may use these dbs. Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

Re: [Phpmyadmin-devel] Two problems...

by Alain Brissaud

Hi Loïc, > Do you mean you use "only_db" to skip to stuffs to get the > table list? > You don't rely on this feature as a way to define access rights > to your MySQL server, isn't it? No, rights are for mysql, no doubts in my head ;-) BUT, 1) in advanced auth, 'only_db' can be an array of db so if rights are correctly set and 'only_db' too : I'm not sure I'm getting the problem ?! 2) much more important : in virtual hosting, you can't change mysql parameters : it's not advanced auth but the 'only_db' feature is really important in real life use of Pma in such environments. Advanced auth is getting really a difficult problem (bookmark, only db ...) : maybe the config.inc.php3 should be split in two with a config_multi-user.inc.php3 much cleaner, maybe smarter and easy to administer. Alain.

22 years, 11 months

Re: [Phpmyadmin-devel] Two problems...

by Loïc

Hi Ignacio! >It has always been the sysadmin's job to maintain security. Any one who >is not doing that should be fired for gross incompetence (my opinion, of course). Right but I still don't know what is your opinion about the 'only_db' setting ;) >How about this: >"*** NOTE: phpMyAdmin does not apply any special security methods to the >MySQL database server. It is still the sysadmin's job to grant permissions on >the MySQL databases properly. Fine :) I'll add this to the doc tonight. Thanks for the help. Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

[Phpmyadmin-devel] Two problems...

by Loïc

Hi All! First problem: -------------- Let's say you have such a config : $cfgServers[1]['host'] = 'my_host'; ... $cfgServers[1]['adv_auth'] = TRUE; $cfgServers[1]['stduser'] = 'user1'; $cfgServers[1]['stdpass'] = 'passwd1'; ... $cfgServers[1]['only_db'] = ''; ... $cfgServers[2]['host'] = 'my_host'; ... $cfgServers[2]['adv_auth'] = TRUE; $cfgServers[2]['stduser'] = 'user2'; $cfgServers[2]['stdpass'] = 'passwd2'; ... $cfgServers[2]['only_db'] = 'db2'; ... Then you would be displayed the server choice with two options at the starting right frame. Let's say you are user2. Since both the $cfgServers arrays use the same host and you have MySQL rights to access it, you may choose to login to $cfgServers[1]. And then you may easlly skip the 'only_db' setting. Moreover, if you login to $cfgServers[2] the left frame will display only the 'db2' database. Fine... but if you have right access to other dbs on this server you are able to run queries on these dbs. An easy fix for the first problem would be to ensure to use the valid $cfgServers thanks to $cfgServers[i]['stduser'] once the authentication is passed. But with Marc (and thanks to a suggestion from Piotr) we're working on a version that no long need the login and password to be stored in the config. file if advanced authentication is used. This would widely improve security. In a few words, I wonder if the 'only_db' setting is really usefull. And I'm also afraid how dangerous it could be: I discussed with ISP webmasters at the beginning of this week and some of them just use the 'only_db' setting without worying too much about MySQL grants! They presumed phpMyAdmin far or less handle the databases access rights since the 'only_db' setting is not well documented or not documented enough. Second problem: -------------- In the discussions I've had, I've also faced an other problem that seems widepsread enough to be reported: some of the webmasters have had a deeper (even if not deep enough) look at the MySQL privileges system and at the phpMyAdmin login procedure. They have then understand that if an user does not have the global "select" privilege, PMA tries to build the databases list from the "mysql.db" table. So they setup some globals privileges but not the "select" one for each user and just define "SELECT" one for relevant databases in "mysql.db". This way only databases with the "SELECT" grant are diplayed in the left frame of course, but each user is allowed to use the other ones. For example if the global "DROP" privilege is set to "Y", any user is able to drop... the "mysql" db even if it's not displayed in the left frame! We should really add some words about security in the documentation and emphasis the words "phpMyAdmin does not handle rights itself, it only uses MySQL ones"... and my english is not fluently enough to do it myself. Regards, Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

[Phpmyadmin-devel] Questions again....

by Loïc

Hi List! I'm currently fixing the bugs with advanced authentication. I'm afraid this requires some important changes but it's required :( I've need your opinion on one point: who should be displayed the "show variables", and "show processlist" at the main right frame? Super-users only (ie those than can use the "mysql" db)? Those who do not have "only_db" set (but may be associated some restrictions with the mysql priv. system)? All users? Thanks for your advices, Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

22 years, 11 months

[Phpmyadmin-devel] Fw: [Phpmyadmin-users] Disney & more

by Geert Lund - SilverSoft Productions

Sorry - the message below was caught in the moderation filter - I'll just post it again :-) Kind regards Geert Lund ----- Original Message ----- From: "Geert Lund - SilverSoft Productions" <glund(a)silversoft.dk> To: <phpmyadmin-devel(a)lists.sourceforge.net> Sent: Thursday, October 04, 2001 8:58 PM Subject: Fw: [Phpmyadmin-users] Disney & more > As shown below - I've just mailed Jo Ann and asked to stop spam mailing... > > I also tried to call the phonenumber supplied on the webpage - but > unfortunately it was a voicemail system, so there was nothing to do with > that. > > But I hope that the spam stops - else we may have to consider moderated > mailinglists (but hopefully we can stop spam-mail as it look like an > individual person spaming - for the time being). > > Just to let you know :-)) > > Spam is not tolerated!! > > -- > Kind regards > Geert Lund > > ----- Original Message ----- > From: "news-service" <news-service(a)int.tele.dk> > To: <joaharkins(a)aol.com> > Sent: Thursday, October 04, 2001 8:50 PM > Subject: RE: [Phpmyadmin-users] Disney & more > > > > > > Hello Jo Ann. > > > > I have to - once for all - ask you to STOP spam-mailing the phpMyAdmin > Users > > mailinglist (and for the matter - also the phpMyAdmin-devel list) - if I > see > > as much as one posting from you again in these lists - I'll fill a formal > > complaint against you to AOL.com and request that your account is shut > down. > > > > And don't think that it's just a threat - I'm working in the abuse and > > security department at the largest Internet Service Provider, ISP - in > > Denmark and we have good connections to the abuse department at AOL.com > and > > you _will_ be shut down! > > > > So, please, do us all a favour and keep your spam (that's: unwanted bulk > > e-mail) of our mailinglists... > > > > -- > > Kind regards > > Geert Lund, > > System Developer, > > TDC Internet A/S - http://www.teledanmark.dk/ > > > > > > > > ----- Original Message ----- > > From: <joaharkins(a)aol.com> > > To: <phpmyadmin-users(a)lists.sourceforge.net> > > Sent: Thursday, October 04, 2001 8:33 PM > > Subject: [Phpmyadmin-users] Disney & more > > > > > > > Celebrate Disneys 100th birthday, with Disney Collectables at discounted > > > prices! > > > www.josdiscountstore.com > > > > > >

22 years, 11 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Developers