1

I just have a quick question about PHPMyAdmin set up on Windows Subsytsem for Linux.

I am currently in the process of building a Shopify app and have set up the LAMP stack with PHPMyAdmin. Once inside of PHPMyAdmin, I saw an error that said it could not connect to MySQL because it did not have proper access (access denied).

In order to deal with this issue, I followed the instructions in this StackOverflow post below

phpMyAdmin ERROR: mysqli_real_connect(): (HY000/1045): Access denied for user 'pma'@'localhost' (using password: NO)

The post instructed me to go create a new user in MySQL called pma and give that user access to all privileges followed by editing the contents of my config.inc.php file by adding the following code to it:

$cfg['Servers'][$i]['controluser'] = 'pma'; 
$cfg['Servers'][$i]['controlpass'] = 'my_password_here';

So everything seems to be working now but I wanted to know if this will cause any security issues for me once I put the app in production?

I am asking because, at the top of the config.inc.php file, it says that you should not store any passwords inside of it.

So is this something I should worry about? And if it is, how can I solve the issue of my PHPMyAdmin access being denied without creating potential security issues?

Dharman
  • 30,962
  • 25
  • 85
  • 135
pierre_web_dev
  • 21
  • 4
  • 1
    please read https://docs.phpmyadmin.net/en/latest/setup.html#securing – nbk Jan 17 '22 at 22:35
  • 1
    You really should reconsider whether installing phpMyAdmin in production is needed. This is a really bad idea. This tools is designed for development machines, not for production use. – Dharman Jan 17 '22 at 22:47
  • @Dharman Oh ok, I thought it was used in production as well because WordPress uses it if you want to make to write SQL queries for a WordPress project. If I am not supposed to use that in production, what else can I use as a GUI to see what is happening in my database? – pierre_web_dev Jan 18 '22 at 18:03
  • @user2864740, I get that this seems like a dumb question but when I looked it up in other stack overflow posts people are freely editing the config file. So I just wanted a second opinion. – pierre_web_dev Jan 18 '22 at 18:06
  • That's the thing, you should not be accessing the database neither using GUI nor CLI. Only your application should have access to the database. If you want to have GUI anyway, you can use phpMyAdmin through VPN/proxy that would allow only you to access it. – Dharman Jan 18 '22 at 18:13
  • @pierre_web_dev it “seems like dumb question” because it asks the direct question opposed to the advice given directly in the config files. Consider instead: “How can a password to used to connect to phpMyAdmin in a secure manner (because the config file states that it would not be put here)”? It’s already been established one method is not good practice. – user2864740 Jan 18 '22 at 18:17
  • Or even “Why do people put mysql passwords in the config, even when the config file template itself says not to?”; even while an entirely different focus, this doesn’t ignore the stated information. – user2864740 Jan 18 '22 at 18:20
  • 1
    @user2864740 Thanks for the constructive criticism on how to better formulate my question. Now I understand that PHPMyAdmin is not a tool I should use in production anyway. So I guess my next question is, would you recommend using a simple ORM to interact with my database or to just learn some simple SQL queries to do what I need? – pierre_web_dev Jan 19 '22 at 20:05

0 Answers0