Securing phpMyAdmin

30 Apr 2013


I run phpMyAdmin for a number of websites and (thanks StackOverflow), this is my check list for phpMyAdmin Security.

What gets done depends a lot on the client’s webhost and how much control I have, but this is a short list of things which can be done.

  1. Change the folder location
    I’ve changed the application folder the obvious ones such as phpMyAdmin or pma to something a little less predictable; databaseliveshere or folder name of your choice.
  2. Passwords
    This is rather duh, but no harm in stating the obvious. Secure passwords which are proof against a brute-force attack
  3. Limit Access by IP Address
    This depends on how many people are accessing phpMyAdmin, and whether everyone has a static IP address, but I like to setup .htaccess so it restricts access to a subset of IP addresses.
    <limit GET> 
        order deny,allow 
        deny from all 
        allow from 
  4. Root shouldn’t have access to phpMyAdmin
    I edit the config file for phpMyAdmin and set AllowRoot to false
  5. HTTPS
    I set up a self-signed security certificate so I can access phpMyAdmin via https. This way the login and password can’t be leaked to an attacker.

PHP North West 2011 Conference

10 Oct 2011


I’ve just spent a weekend at the PHP North West 2011 Conference.  I went to the London PHP day in February and a couple of people in the bar were enthusing about the North West event, so I decided to give it a go.

Why did I go to the conference?

I usually work from home, and I work on my own and this (while still being wonderful and completely amazing and best way to work ever) does mean that I miss out on the company of other developers.  Working with, and talking to, other people is a great way to learn; people tell you about things, you try new things, you get enthused and excited and you remember why you love your work.   Weblogs and mailing lists and twitter and IRC, although good things in and of themselves, are not quite the same as people.  So I try and fill a hole with local events and the occasional conference.  Sometimes it’s hard work; like a lot of people in this field I’m not the most sociable and gregarious person.

What did I like?

There was a great selection of talks, and making a choice was often difficult.  Choice isn’t always good – I sometimes end up feeling that the talk on the other side of the fence was greener and wondering what I’m missing.   But I saw some wonderful presentations, and all the presentations in the main tracks were videoed so I can check out the talks I missed when the videos go online (in about a month).

Read More

UTF8 all over the place

22 Jul 2011


For all web applications, I have to make sure I’m using UTF8. It’s not just for customers who want the occasional page in Japanese or Korean; it’s for perfectly standard English pages which use text such as Ætna or the non-Ascii pound sign £

Now, to get this right, I have to make sure the database is setup to handle UTF8 AND the web server is setup to handle UTF8 AND the browser is setup to handle UTF8…

Read More

What PHP Programmers do for fun

11 Jan 2011


I’m about to head off to the PHP West Midlands get-together for January.
The group meets the second Tuesday of every month, and it alternates between social and technical meets. This month – “What’s new in Zend Framework 2.0” by Rob Allen
Dave has arranged for a new venue and we’re now meeting in the Birmingham Science Park. I’m not exactly a regular, but will be going more frequently this year – my Tuesdays are a little more open for socialising and php-ing. Most of the group activity is on the mailing list and that’s always useful source of advice / suggestions.

And at the end of next month, we have the PHPUK11 – a one day event arranged by the London PHP group. The talks are good, but as always it’s the chat over coffee with other developers which really makes it worthwhile. I usually work as a solo developer, so bumping heads with other people in the same field matters. Too much possibility of stagnating otherwise.

Php Swift Mailer

4 Jun 2007

I’ve recently been using Php Swift Mailer and will now be using it for all my php applications which require email.

The initial impetus was I needed to send mail via a SMTP server which required authentication, and I also wanted to setup and post multipart (text + html) messages and messages with attachments. Swift Mail does both of these very nicely.

It also checks for mail injection attacks, which php mailer doesn’t, so I’ve ditched my own message checking code in its favour. This matters, because I’ve been noticing a LOT of mail injection attacks / site hacking attempts on one of my php sites recently.

Failing with grace and artistry

1 Jun 2007

, ,

One of the problems I’ve always had with PHP error handling is catching the fatal errors. If a php script encounters a fatal error it stops, and the desired error handling code does not get executed.

So the user will (usually) be confronted with a blank screen and, worse still, since the error isn’t logged I don’t know about it and therefore can’t fix it.

It’s a rare and confident user who will report a blank page or other such glitch; people are so used to working with a certain level of pain when using a computer that they just assume it’s unavoidable or that it’s been caused by their own inadequacy in some way.

Anyway, (thank-you PHP London user group) I now have a solution using the register_shutdown_function()


// ... go and do all sorts of exciting stuff ...

$running = false;

function cleanExit() {
	if ($GLOBALS['running'])) {
		// script is still running - it's an ERROR
		// tell Bronwen about the error
		// tell user it's not their fault

Favourite error message of the week

11 Nov 2006


‘Subtitle – Study Programming and Learn New Things About Punctuation

This week, when running a Php script, I got the error message:

Parse error: syntax error, unexpected ')', expecting T_PAAMAYIM_NEKUDOTAYIM

After the “what!” reaction, I looked it up (remember, Google is your friend) and found that PAAMAYIM_NEKUDOTAYIM is Hebrew for a pair of colons.

It’s very nice that there is a word for a pair of colons (:: is used to access a static element of a class, so it can be used), but I feel that I am rather unlikely to use this term in casual conversation, or even in geeky programming-type conversations. I wonder if developers who have English as a second langauge have similar problems with the more standard and less esoteric error messages.

I’m also reminded, but not in a particularly nice way, of my first job where I wrote code for a Geac 9000 library computer in a language called ZOPL (ZOPL stands for “Version Z, Our Programming Language”). The guy who’d written the ZOPL compiler had obviously been a Pink Floyd fan and some of the error messages reflected this.