[Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?
Sebastian Mendel
lists at sebastianmendel.de
Thu Nov 10 23:49:28 CET 2005
Michal Čihař wrote:
> Hi
>
> On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
>> About the SHOW PHP info, there was a time when the cookie containing
>> the password was visible there in plain text, it might explain the
>> reason for this default.
>
> There is also reason that it can uncover much information about server.
the difference of phpinfo() with the other settings below is, that this
should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root),
intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is
hidden only if i select one of the two external servers - but without
any reason
>> For mysqlinfo and mysqlvars, I think it was determined that this is
>> information useful for a system admin.
>
> Both are also useful for user. We show eg. collations and storage
> engines in all cases, so these two IMHO sould be same case and I do not
> see need for configuration option.
i agree
>> For the password change, I think that most of users, if they have the
>> possibility of changing their password, will do it, then will
>> complain in phpMyAdmin support forums because all their other MySQL
>> apps are now broken.
>
> Yes, this one should be enabled by admin.
ok
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list