There are two easy options:
1)You can place the phpmyadmin directory in an authenticated directory using standard basic authentication (or digest if you are using IE 5.0 or above)
2) Change the authentication type in phpmyadmin to cookie so you need to login at the index.php page. Also, careful attention to the users privileges that is able to access the sql server will make things a bit more secure but as with everything over the internet...nothing is perfect.
Using both of the above wouldn't be a bad idea.
SL
LanceS wrote:
Hi All.
If I accept the default location my server provides for installation... /html/phpmyadmin, then anyone can type index.php3 into their browser and phpmyadmin opens and displays all the mysql dbs on the server.
If I have root as the user and roots pwd in the config.inc.php3 file,
then when I run phpmyadmin the one live database that exists on - one of
my clients sites - is visible showing all details of the mysql db.
When I remove all references to users and passwords in the
config.inc.php3 file then I am still able to see the db's listed, but
not the data. Clicking on a db name (in the left column) returns "no
tables found in database."
If I move the phpmyadmin directory out of the /html directory then I'm unable to access it.
How does one protect phpmyadmin?
Lance
