安全

8.1 Where can I get information about the security alerts issued for phpMyAdmin?

Please refer to [https://www.phpmyadmin.net/security/](https://www.phpmyadmin.net/security/)\.

8.2 How can I protect phpMyAdmin against brute force attacks?

If you use Apache web server, phpMyAdmin exports information about authentication to the Apache environment and it can be used in Apache logs. Currently there are two variables available:

userID

User name of currently active user (they do not have to be logged in).

userStatus

Status of currently active user, one of ok (user is logged in), mysql-denied (MySQL denied user login), allow-denied (user denied by allow/deny rules), root-denied (root is denied in configuration), empty-denied (empty password is denied).

LogFormat directive for Apache can look like following:

  1. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{userID}n %{userStatus}n"   pma_combined

然后你可以使用任何日志分析工具来检测潜在的攻击。

8.3 Why are there path disclosures when directly loading certain files?

This is a server configuration problem. Never enable display_errors on a production site.

8.4 CSV files exported from phpMyAdmin could allow a formula injection attack.

It is possible to generate a CSV file that, when imported to a spreadsheet program such as Microsoft Excel, could potentially allow the execution of arbitrary commands.

The CSV files generated by phpMyAdmin could potentially contain text that would be interpreted by a spreadsheet program as a formula, but we do not believe escaping those fields is the proper behavior. There is no means to properly escape and differentiate between a desired text output and a formula that should be escaped, and CSV is a text format where function definitions should not be interpreted anyway. We have discussed this at length and feel it is the responsibility of the spreadsheet program to properly parse and sanitize such data on input instead.

Google also has a similar view.