Hello Alain.
- much more important : in virtual hosting, you can't change mysql
parameters :
it's not advanced auth but the 'only_db' feature is really important in
real
life use of Pma in such environments.
But that's the point exactly - it's not in the scope of pMA to handle MySQL security issues - if MySQL permissions aren't set correctly - then it's the administrator that's lazy - and it should not depend on pMA to set up "intended" permissions... pMA should not be a security shell layer above the MySQL Server...
So I defenitly don't hope that ISPs in VHost environments counts on pMA to set permissions solely based on the only_db feature of phpMyAdmin. That's really very wrong ... very very wrong...
So the question is not wheter pMA should be a security layer above the MySQL Server or not (because we - the developers - agree - at least until now - that we won't make security tighter in pMA than what's allowed by the MySQL permissions) - but a question about - does the only_db make any sence or not...
To all:
And I agree - when pMA is runned in a multihosting environment with perhaps 100's or 1000's of databases it's really important only to show allowed databases... So in my opinion - the use of only_db would be far more correct if it's a TRUE/FALSE variable - that tells pMA to check for permissions and only show allowed databases of the authenticated user. (and actually I think that MySQL has a feature that enables the same thing - that MySQL only shows allowed databases and tables to the client based on the authenticated user - I just can't find it in the documentation at this moment - but I'll keep searching :o)) ).
-- Kind regards Geert Lund