[Phpmyadmin-devel] Re: prevent users from seeing status and variables, why?

Sebastian Mendel lists at sebastianmendel.de
Thu Nov 10 23:49:28 CET 2005

Michal Čihař wrote:
> Hi
> On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
>> About the SHOW PHP info, there was a time when the cookie containing
>> the password was visible there in plain text, it might explain the
>> reason for this default.
> There is also reason that it can uncover much information about server.

the difference of phpinfo() with the other settings below is, that this 
should depend on if the user is 'superuser' on the 'localhost'!

if i have a local PMA installation to manage localhost(user:root), 
intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is 
hidden only if i select one of the two external servers - but without 
any reason

>> For mysqlinfo and mysqlvars, I think it was determined that this is
>> information useful for a system admin.
> Both are also useful for user. We show eg. collations and storage 
> engines in all cases, so these two IMHO sould be same case and I do not 
> see need for configuration option.

i agree

>> For the password change, I think that most of users, if they have the
>> possibility of changing their password, will do it, then will
>> complain in phpMyAdmin support forums because all their other MySQL
>> apps are now broken.
> Yes, this one should be enabled by admin.


Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list