|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
April 17th, 2005, 12:04 AM
|
|||
|
|||
|
Admin a database, through website or admin tool?
Hi,
I'm designing a webapp and wanted to know your views on the most secure way to manage its database i.e. through something like PhpMyAdmin or directly through a user login account that has admin priviledges? The setup will be Java EJBs accessing MySql. Does introducing software like PhpMyAdmin present an additional route that a hacker can exploit, or does the presence of an admin account render the webapp too vulnerable should the username/password combo be compromised? Any advice greatly appreciated, Mike
|
|
#2
April 17th, 2005, 10:06 PM
|
||||
|
||||
|
Hi, Any installed program is another access point for any hacker. PhpMyAdmin tends to be fairly secure, but the thought of leaving it on the webserver scares me
 . There have been a few vulnerabilities recently (v2.6.1 had a few XSS vulns, there was another XSS one about two months ago, and there was a path disclosure bug around 2.6.0). Personally, I move it in and out of the webroot when I need to use it. Failing that, try and hide it behind a log-in section or something. Whatever you do, lock it down hard. Don't set it up to use the root password, use HTTP/Cookie authentication (and not a default entry in config.inc.php). Use blowish encryption in the cookies by setting $cfg['blowfish_secret'] 'a string' etc. --Simon
|
|
| Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Admin a database, through website or admin tool? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
