The VPS I was using used to have phpMyAdmin pre-installation option but removed it stating it poses security risk. Does it?
If so do you recommend an alternative for browsing DB on production (other than running SQL commands in console)?
Any extra software you add to a system adds complexity. Complexity is the enemy of security.
PHP webapps are notorious for sloppy coding and certainly phpMyAdmin has had more than its share of security holes in the past. You can certainly mitigate the damage by eg. putting behind HTTPS with a client certificate, but that's not going to prevent cross-site-request-forgery attacks.
For a production machine, I'd really prefer to stick to the console.
It depends. If you can get all the access to PhpMyAdmin through SSL only, and enforce strong password security on the web site, it can be secure.
Otherwise it's opening your entire DB server to the world in clean view.
1)install classic PHPMyAdmin
2)add ssl to your phpmyadmin
3)add .htacess and protect it with a password
More third party software - more issues you can get. My recommendation is to use mysql console on vps and denied outside connections to mysql with root rights
I recommend setting up phpMyAdmin on your local box. Then set up a ssh tunnel to your production box and forward mysql's port to your local machine. Configure your local phpMyAdmin to connect to that forwarded port.
That is, if you really want to use phpMyAdmin.
There have definitely been security wholes in the past. Probably will find new ones in the future. It's always a risk to open that kind of a tool to public web space.
I recommend installing database management software, and connecting to your production DB through an SSH tunnel. If you're on a Mac, I'd install Sequel Pro for free. On other platforms Navicat (and other similar software) is available, but it does cost money.
Related
I am very new in this environment and currently having this difficulty to share my DBMS work to my teammates. Tried to find solutions but mostly it was a solution if it's from the same network. Is there any way (in details) how can I share it from outside network?
Try setting up a VPN/Proxy server on your LAN network and then your teammates will connect to that VPN/Proxy server externally for accessing the phpMyAdmin DBMS as a VPN or Proxy would simulate your teammates network connection to be as if they were on the same network as the phpMyAdmin DBMS, which is only accessible on LAN.
This will undoubtedly be the most secure method of connecting to the server and also without making too many changes to the configuration of the phpMyAdmin DBMS, which could be messed up in the process of modifying all the configuration files and be quite a hassle.
I'm a tyro, want to use database (MySQL) installed in hosting account, to change things in the database from desktop. What are the softwares that I can use for this?
PS: Most likely I'd be using this database with PHP.
Commercial:
http://www.webyog.com/en/downloads.php
Link
http://www.sqlmaestro.com/products/mysql/maestro/
Freeware or open source:
http://www.sqlmanager.net/products/mysql/manager/
http://www.sequelpro.com/
Others:
Top 15+ MySQL Managers and Tools
How ever, most web hosting don't allowing remote access to their database servers, but they do offer access a tool to access to database, generally via a browser(in most cases phpMyAdmin).
If you really want to learn SQL with MySQL, why just not to install it in your desktop and avoid future problems(disconnecting, slow connection, etc ...).
Depends on your hosting provider. Most likely it won't allow you to connect from external host (that is, your desktop). Reason? Security.
Your best bet would be to install a copy of phpMyAdmin on the server and manage your DB from the browser.
Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.
Are there any database only hosting services?
I need a MySQL only hosting service but I couldn't find any. All mysql hostings are part of a package e.g. PHP + MySQL.
I need it for development purposes. Having my PHP files somewhere else I can remotely connect to this mysql server and once an application is ready I can put that on a server having both PHP + MYsql. [well, there a some reason to have this kinda setup, if you have something to suggest please do.]
Any suggestion/recommendation if you have used any.
Thanks
The problem with a database-only host would be the security. The database need to be accessed over the Internet, thus username and password to access it are sent over the Internet. Even though you could add encryption and other protection, there's still a risk that the security is breached.
In general, you should never allow direct access to databases over the Internet! It's a real bad practice, which also explains why it's hard to find.
One way to get around such limitation is by building a web service around your database. In this web service you'll add all the functionality that you need to apply on this database, and the web service itself will keep the database itself protected. There would still be a risk that your web service gets compromised but even in that case, the attacker could never do more damage than the specific web service allows.
Such a web service can be created in PHP, although I myself have more experience with doing something similar with .NET and C# on SQL Server...
I think that you can find hosts with MySQL and PHP cheap enough that it would be easiest for you just to use one of those hosts and only use what you need.
Web Hosting Buzz has a plan for $5.95 (a month) which has unlimited databases, 400GB storage, and 500GB/Month data transfer.
A few weeks after the question was posted, Amazon announced a beta of "Amazon Relational Database Service (Amazon RDS)." It acts like MySQL 5.1.
http://aws.amazon.com/rds/
Seems pricey for what you want, but you never said you were the one who would be paying the bill.
Contract a dedicated server.
Use it only to host your MySQL database
If the server is managed, they should help you with basic MySQL problems as it is usually preinstalled. I use http://www.hostingmatters.com/
If you are just needing this for developement purposes for PHP + MySQL why not just install EasyPHP (http://www.easyphp.org/). This installs quickly and easily and I think it's great for developement.
I've had no problems installing additional PEAR extensions and such after the fact with this.
There's a free option on Heroku and paid options up from there: https://addons.heroku.com/cleardb
You can try freemysqlhosting.
http://freemysqlhosting.net/
I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.