0

I have a website hosted by netfirms, and phpmyadmin is part of the package.

It's a very powerful general tool, but it takes a while to load and there are some very long and specific tasks I need to do weekly.

I could easily write a php page that does all of these tasks for me, but some of these tasks include "changing prices" or "removing products". These are tasks I would not want anyone on the internet to be able to perform.

I know I'll never reach perfect security, but I'd like it to be no worse than it is now.

Ideally I'd like a solution that will work on any computer with internet access I can get a USB stick to. (I don't want to have to run an installer for each new computer.)

Jonathon Philip Chambers
  • 159
  • 7
  • If you want to do a php thing, I suggest you use a PHP framework like Laravel or etc. This way it takes care of a bunch a security issues for you automatically. – cybernard Mar 27 '19 at 00:11

1 Answers1

1

PHPMyAdmin is not a security tool, and using it is risky in itself. You log in directly using the database account, with all the privileges the account has. If your task is to update the database, this means write access. Of course you could create a limited database account that has only access to certain tables, but that's not really practical and most likely the hosting company has given you exactly one account with full privileges. If this database account gets compromised, the whole database gets compromised. It's exposed to several risks when your requirement is to be able to work on any computer with Internet access.

Having a separate tool that is limited to certain use cases is recommendable, as it can have an authentication that is totally independent from the database account, and own account for every user. The tool can also have detailed access control over who can update what, and logs for auditing the changes etc.

The cons are that creating such a tool from scratch and making it secure is not an easy task. The authentication might be bypassed, you might leave vulnerabilities for SQL injections or expose the database password with configuration mistakes. Using anything that has been developed for years, is widely used by others and gets regular security updates is preferable.

To achieve both you would look for a widely used ecommerce platform. If you really must perform administrative tasks from external non-trusted computers, it's recommended to have some multi factor authentication.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • I'm using a "written from scratch" ecommerce platform. It's far too late to swap platforms at this stage in the game. This is an established business that's making sales frequently. I'm just getting annoyed with phpMyAdmin, I know how to write an alternative, I know how to prevent SQL injections, but exposing passwords and multi factor authentication are all new to me. I don't even know where to start to learn this stuff, and I don't want to leave myself vulnerable to attacks I currently don't even know exist. – Jonathon Philip Chambers Feb 25 '19 at 05:25