Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

phpinfo and phpMyAdmin

From: Creating Secure PHP Websites

Video: phpinfo and phpMyAdmin

phpinfo and phpMyAdmin are useful tools, but

phpinfo and phpMyAdmin

phpinfo and phpMyAdmin are useful tools, but it's essential that you keep them secure. If I were a hacker, the first file I would want to see on a computer would be the database password file. But the second file I'd want to see would probably be the one that has phpinfo in it because it contains all sorts of useful server information. It tells me a lot about how the server's setup, what kinds of things are installed, and all the configurations that have been setup for PHP. A phpinfo file is simply a PHP file that contains the built in function phpinfo open parenthesis, close parenthesis, semicolon and all of that inside PHP tags.

We take that file and we bring it up inside a browser, we get all sorts of useful information about how things are set up and configured. When we're first setting up PHP and trying to get everything working on a system, this can be really useful, because we can make sure that things are what we actually expect they are. For example, it'll tell us where the php.ini file that it's loading is located. So we know which PHP file is actually being used. We can go right to that location and edit that file. What you don't want is for this file to stick around and for other people to have access to it besides you.

Along with phpinfo, you also need to be careful with phpMyAdmin. phpMyAdmin is a third party application that gives you good access to your MySQL database by using a browser, having a browser front-end. I mentioned having phpMyAdmin, even though it's a third-party application, because it's super-popular. In fact, a lot of PHP installations come with it built in. It should be obvious why you want to keep this hidden. It includes extremely powerful access to all of your data. Basically, anything in your database is available through a browser.

Unlike your web application, there is no intermediary step to prevent people from seeing some of the data. They can see everything all the time. Take a look at your web server access log some time. I can't tell you the number of phishing URLs that I see looking for these two items, and they even look for common attempts to hide them by renaming the files. Such as looking for a directory called pma instead of phpMyAdmin. Do not rely on renaming them in order to hide them. Instead, the best security is to use neither of them on your production server.

phpinfo is really only useful when you're troubleshooting. If you're not in the middle of troubleshooting something, it should not exist on the server at all. And while phpMyAdmin can offer some convenience, I think that it's better to reserve that convenience for your development environment and to use straight MySQL from the command line when you're working on your production environment. But, if you must have them on your system, then make sure that you require a password. That should be the minimum amount that should be required. If you're using Apache as your web server, then you can use .htaccess files in order to protect an entire directory.

And require that the web server will require a password before it will give access to that directory. phpMyAdmin also offers an HTTP authentication mode which does the same thing. It requires an HTTP authentication username and password before you can get access to phpMyAdmin. The phpMyAdmin documentation also includes some helpful tips about securing your phpMyAdmin installation. The first of these is to remove the setup directory after initial setup. Then, choose the authentication method that you want to use and it gives you information about each of those authentication methods, and some guidelines for why you might choose one over another.

You can also set up MySQL allow and deny rules to keep people from having access to the entire MySQL database and you can configure it to use an authentication proxy which is like the htaccess files that we were just discussing. And last of all, you can enable Captcha if you want to prevent automated requests and require that only requests from humans can be used. Again, the most secure approach is to leave both of these off of your production server, so that the public can't access them at all, but if you absolutely must have them, then take the extra time to make sure that you secure them properly.

Show transcript

This video is part of

Image for Creating Secure PHP Websites
Creating Secure PHP Websites

41 video lessons · 2919 viewers

Kevin Skoglund
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Creating Secure PHP Websites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.