9 Nov
2005
9 Nov
'05
8:29 a.m.
Hi,
what is the reason for setting this default values to false?
$cfg['ShowMysqlInfo'] = FALSE; // whether to display the "MySQL
runtime
$cfg['ShowMysqlVars'] = FALSE; // information", "MySQL system
variables", "PHP
$cfg['ShowPhpInfo'] = FALSE; // information" and "change
password" links for
$cfg['ShowChgPassword'] = FALSE; // simple users or not
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
9 Nov
9 Nov
8:51 a.m.
Sebastian Mendel a écrit :
Hi,
what is the reason for setting this default values to false?
$cfg['ShowMysqlInfo'] = FALSE; // whether to display the "MySQL
runtime
$cfg['ShowMysqlVars'] = FALSE; // information", "MySQL system
variables", "PHP
$cfg['ShowPhpInfo'] = FALSE; // information" and "change
password" links for
$cfg['ShowChgPassword'] = FALSE; // simple users or not
About the SHOW PHP info, there was a time when the cookie containing the
password was visible there in plain text, it might explain the reason
for this default.
For mysqlinfo and mysqlvars, I think it was determined that this is
information useful for a system admin.
For the password change, I think that most of users, if they have the
possibility of changing their password, will do it, then will complain
in phpMyAdmin support forums because all their other MySQL apps are now
broken.
Marc
10 Nov
10 Nov
3:08 a.m.
New subject: [Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Hi
On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
About the SHOW PHP info, there was a time when the
cookie containing
the password was visible there in plain text, it might explain the
reason for this default.
There is also reason that it can uncover much information about server.
For mysqlinfo and mysqlvars, I think it was determined
that this is
information useful for a system admin.
Both are also useful for user. We show eg. collations and storage
engines in all cases, so these two IMHO sould be same case and I do not
see need for configuration option.
For the password change, I think that most of users,
if they have the
possibility of changing their password, will do it, then will
complain in phpMyAdmin support forums because all their other MySQL
apps are now broken.
Yes, this one should be enabled by admin.
--
Michal Čihař | http://cihar.com
9:49 p.m.
New subject: [Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Michal Čihař wrote:
i agree
ok
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
Hi
On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
the difference of phpinfo() with the other settings below is, that this
should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root),
intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is
hidden only if i select one of the two external servers - but without
any reason
About the SHOW PHP info, there was a time when
the cookie containing
the password was visible there in plain text, it might explain the
reason for this default.
There is also reason that it can uncover much information about server. For mysqlinfo
and mysqlvars, I think it was determined that this is
information useful for a system admin.
Both are also useful for user. We show eg. collations and storage
engines in all cases, so these two IMHO sould be same case and I do not
see need for configuration option. For the
password change, I think that most of users, if they have the
possibility of changing their password, will do it, then will
complain in phpMyAdmin support forums because all their other MySQL
apps are now broken.
Yes, this one should be enabled by admin.
11 Nov
11 Nov
12:55 a.m.
New subject: [Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Hi
On Fri 11. 11. 2005 09:02, Sebastian Mendel wrote:
the difference of phpinfo() with the other settings
below is, that
this should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root),
intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is
hidden only if i select one of the two external servers - but without
any reason
There is no relation on being superuser in mysql and beeing able to have
information about webserver. I'd leave this only on config option.
So my suggestion:
Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them in
all cases. Drop $is_superuser condition from showing php info.
--
Michal Čihař | http://cihar.com
3:25 a.m.
New subject: [Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Michal Čihař a écrit :
Hi
On Fri 11. 11. 2005 09:02, Sebastian Mendel wrote:
Ok for me.
the difference of phpinfo() with the other
settings below is, that
this should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root),
intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is
hidden only if i select one of the two external servers - but without
any reason
There is no relation on being superuser in mysql and beeing able to have
information about webserver. I'd leave this only on config option.
So my suggestion:
Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them in
all cases. Drop $is_superuser condition from showing php info.
13 Nov
13 Nov
11:08 a.m.
New subject: [Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Hi
On Fri 11. 11. 2005 14:24, Marc Delisle wrote:
Michal Čihař a écrit :
Just committed.
--
Michal Čihař | http://cihar.com
So my suggestion:
Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them
in all cases. Drop $is_superuser condition from showing php info.
Ok for me.
6873
days inactive
6877
days old
6 comments
3 participants
participants (3)
-
Marc Delisle -
Michal Čihař -
Sebastian Mendel