1

I've heard that DB with URL access (as with PHPmyadmin) would be less secured than without such access.

I'm not an IS expert and doesn't work in the field but I can't see how this saying be true; Why would this matter? In any case, anyone can access the DB locally for software like Workbench or Navicat, if it has the right credentials...

  • DB tend to be configured/ accessed with standard usernames and password = easy target. – JdeHaan Dec 20 '16 at 21:42
  • So we can conclude that DB's are easy targets in general with or without URLs... –  Dec 20 '16 at 21:43
  • When you have access to the machine the database is running on, you don't need credentials. You can just look at the database files directly. – Philipp Dec 20 '16 at 21:43
  • Often, on the port the application uses to access the db server, you have a firewall configured that only lets the application servers connect. But PHPmyadmin would often be accessible by anyone from any computer on the internet, for the convenience of the site's admins. Also, PHPmyadmin might have a CSRF or XSS bug that would expose the database through the browser of someone who has the credentials, even if the db server is not available from the internet. – Z.T. Dec 20 '16 at 21:57
  • This is a classical case of "I've heard that..." without giving sources. Don't do that. Claims are worthless without context. – Marcus Müller Dec 21 '16 at 00:51
  • PHPMYADMIN IS NOT A DATABASE! It's a tool providing direct access to a database. This whole discussion makes no sense and is predicated on a misnomer. – symcbean Dec 21 '16 at 01:17

2 Answers2

3

It's not necessarily inherently less secure, just often practically.

In the first place, adding more software adds more things you have to secure. Phpmyadmin has had its share of vulnerabilities, and now you have to worry about those in addition to the MySQL ones you had to worry about before.

One fairly standard thing to do with MySQL is to limit the privileges of accounts to only accept logins from a small whitelist of IPs (for a small app, that can be just localhost). But as soon as you install Phpmyadmin, you've provided a proxy of sorts for MySQL access from anywhere - unless you take extra steps to lock that down as well.

Web interfaces like this can be set up securely, but they just add another administrative tool that you need to secure; if you learn how to use the commandline mysql over ssh, then you can eliminate one entry point for an attacker.

Community
  • 1
Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
3

By default, most database servers provide local access only (e.g. user@localhost). Without a web application, no amount of password guessing or sql-injected HTTP posting will allow a remote attacker access to the database.

Web applications hosted on the same machine will generally connect to the database via the local loopback IP or domain and accept HTTP requests from the network. Thus a web application provides an attack vector for your database. The more hosted apps you have connected to your database (Wordpress, Drupal, phpmyadmin, etc), the greater the risk that the database can be exploited.

PHPMyAdmin in particular is a great target for an attacker because a single username/password combination could provide full, unfettered access to all databases on the MySQL server. Most web applications only require connecting to a single database with an unprivileged user.

brirus
  • 176
  • 2
  • PHPMyAdmin in particular is a great target for an attacker because a single username/password combination could provide full, unfettered access to all databases on the MySQL server | I think we can say the exact saying on MySQL Workbench, given the only extras there are connection type and IP. –  Dec 21 '16 at 23:42