phpMyAdmin 是否会对生产造成安全风险

2022-01-05 00:00:00 database mysql phpmyadmin

我使用的 VPS 曾经有 phpMyAdmin 预安装选项,但删除了它,指出它会带来安全风险.是吗?

The VPS I was using used to have phpMyAdmin pre-installation option but removed it stating it poses security risk. Does it?

如果是这样,您是否推荐在生产中浏览数据库的替代方法(除了在控制台中运行 SQL 命令)?

If so do you recommend an alternative for browsing DB on production (other than running SQL commands in console)?

推荐答案

您添加到系统中的任何额外软件都会增加复杂性.复杂性是安全的敌人.

Any extra software you add to a system adds complexity. Complexity is the enemy of security.

PHP 网络应用程序以草率编码而臭名昭著,当然 phpMyAdmin 已经超过其份额的安全漏洞 过去.您当然可以通过例如减轻损害.将 HTTPS 与客户端证书放在一起,但这并不能阻止跨站点请求伪造攻击.

PHP webapps are notorious for sloppy coding and certainly phpMyAdmin has had more than its share of security holes in the past. You can certainly mitigate the damage by eg. putting behind HTTPS with a client certificate, but that's not going to prevent cross-site-request-forgery attacks.

对于生产机器,我真的更喜欢使用控制台.

For a production machine, I'd really prefer to stick to the console.

相关文章