Compare phpMyAdmin with Adminer
|
View:
New views
19 Messages
—
Rating Filter:
Alert me
|
 |
Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Michal Čihař
::
Rate this Message:
Hi
Dne Thu, 27 Jan 2011 16:38:45 +0100 Jakub Vrána <jakub@...> napsal(a): > I used phpMyAdmin for several years but I didn't like some of its > features (or lack of features). That is a reason why I've started to > create a phpMyAdmin competitor four years ago. It is called Adminer and > it is currently a mature project. I have created a detailed comparison > between current stable versions of phpMyAdmin and Adminer which is equal > to list of things which I don't like on phpMyAdmin. Maybe you will find > some points valid also for your preferences. JFYI - many issues from your list are fixed in upcoming 3.4 (right now in beta). I probably missed something, but at least following are changed: - Enum type - Blob field download - Multi editation - Syntax highlighting - Multiple browser tabs (I'm not completely sure with this, but I know somebody was working on this issue) And there are some things which are already in 3.3: - Relations - phpMyAdmin honors relations in MySQL, you can additionally define relations for tables where MySQL does not support it - Selecting data - similar functionality is there for ages, try "Search" tab on table - your number of themes does not include two which are shipped with phpMyAdmin itself And I don't think that comparing number of publicly announced security bugs fixed in 2010 is relevant. Several big groups focused on phpMyAdmin in 2010, some of them are now doing regular review of the new code. I doubt that Adminer has received so big review as it is less known application. Anyway thanks for comparing these tools. -- Michal Čihař | http://cihar.com | http://blog.cihar.com ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Marc Delisle-2
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jeff Harmon
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jonny Kent
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jeff Harmon
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Marc Delisle-2
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Michal Čihař
::
Rate this Message:
Hi
Dne Thu, 27 Jan 2011 23:41:37 +0100 Jakub Vrána <jakub@...> napsal(a): > The problem with relations and other advanced features in phpMyAdmin > is that they require creating extra tables and specifying them in > configuration. That is exactly written in the comparison. The result > is that most users don't know about this feature at all. I really > don't understand this behavior: "OK, tables are created so phpMyAdmin > will enable features for which the tables are not required at all." No, you need extra tables to define relations where you can not do it in MySQL (eg. for MyISAM tables). For MySQL native relations, you don't need any extra tables. > > - Selecting data - similar functionality is there for ages, try > > "Search" tab on table > > Search in phpMyAdmin is really just for search. Adminer allows > constructing queries containing clauses like CHAR_LENGTH(x), COUNT(*), > GROUP BY x, ORDER BY x,y and so on just by couple of clicks. Yes there are some specific things missing, but this is definitely not "lacking" as is written in your table. > > - your number of themes does not include two which are shipped with > > phpMyAdmin itself > > And it doesn't include one theme of Adminer so the score is 6:8 :-). Which sounds better than 4:7 :-). > The difference between Adminer and phpMyAdmin is that Adminer is > designed from start as a secure application and that security is the > number one priority in development of Adminer. You are right that the > published security fixes of phpMyAdmin is incomplete. For example the > ClickJacking protection reported by me and partially fixed by you is > not included in this list. And it is still not fixed completely > (ClickJacking is still possible from the same domain). I don't know about any way preventing this completely while using frames, maybe you can suggest us some solution? > Another unfixed > problem is with Referer leakage which you know about also for more > than a year. Both are mentioned in the comparison. I don't remember this. Anyway as you opened this topic, I fail to see any protection against this in Adminer as well :-). Especially as it is passing server and username in the URL, you can get much more interesting information than from phpMyAdmin. -- Michal Čihař | http://cihar.com | http://blog.cihar.com ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Michal Čihař
::
Rate this Message:
Hi
Dne Fri, 28 Jan 2011 13:45:19 +0100 Jakub Vrána <jakub@...> napsal(a): > > No, you need extra tables to define relations where you can not do it > > in MySQL (eg. for MyISAM tables). For MySQL native relations, you don't > > need any extra tables. > > Without $cfg['Servers'][$i]['relation'], phpMyAdmin really does not show > any relations in the Browse tab, neither for native InnoDB foreign keys. > It's visible on the screenshot, try it yourself (but delete the cookies > first because phpMyAdmin caches this information). Ah okay, it was not present in 3.3, but it is in 3.4. I thought it was changed longer time ago, but obviously it was not the case. > >> (ClickJacking is still possible from the same domain). > > I don't know about any way preventing this completely while using > > frames, maybe you can suggest us some solution? > > The best solution is giving up the frames. Other solution would be to > require a secure token in the URL of each page (stored in the session as > well) - but this would make impossible saving the page to the browser > bookmarks without logging in each time. What is something we already do for several years (I think I've implemented it somewhere in 2006). And hey, it is still possible to bookmark pages. > > I don't remember this. Anyway as you opened this topic, I fail to see > > any protection against this in Adminer as well :-). Especially as it is > > passing server and username in the URL, you can get much more > > interesting information than from phpMyAdmin. > > All links outside Adminer other than to adminer.org and mysql.com are > redirected through adminer.org which hides the referer. The only > exception is when you use Adminer under HTTPS where the referer is > hidden by browsers automatically. Why is mysql.com an exception? Anyway it is nice that it allows you to collect sensitive information on adminer.org :-). I think it rather should not leave the server where application is running, so there should be redirect done in the application itself (and that's actually what I've implemented in phpMyAdmin). Redirecting using external service hides also location of the application itself, but also makes you dependent on the external service. -- Michal Čihař | http://cihar.com | http://blog.cihar.com ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Hari K T
::
Rate this Message:
Vrana, is a respected person in the PHP community .
PHPMyAdmin is also a wonderful tool which have served great for PHP developers. He introduces something much more interesting to the PHP community . Competition is always good for it will make something good than the worst :-) . Cheers to all , lets make the project to a success. Hari K T M: +91-9388758821 | W: http://harikt.com  kthari85  kthari85  kthari852011/1/28 Jakub Vrána <jakub@...>
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Michal Čihař
::
Rate this Message:
Hi
Dne Fri, 28 Jan 2011 15:15:06 +0100 Jakub Vrána <jakub@...> napsal(a): > >> Other solution would be to require a secure token in the URL of each page > > > > What is something we already do for several years (I think I've > > implemented it somewhere in 2006). And hey, it is still possible to > > bookmark pages. > > Current solution does not prevent the same-domain ClickJacking because > if you access for example http://localhost/phpMyAdmin/?db=cds (without > token) then phpMyAdmin still happily works. Yes it does work intentionally. But that still pretty much lowers risk. > > Anyway it is nice that it allows you to > > collect sensitive information on adminer.org :-). I think it rather > > should not leave the server where application is running, so there > > should be redirect done in the application itself (and that's actually > > what I've implemented in phpMyAdmin). Redirecting using external > > service hides also location of the application itself, but also makes > > you dependent on the external service. > > I suppose that if you trust Adminer then you trust also its web site > ;-). not transmitted encrypted. > The best hiding method is running HTTPS which hides the referer > automatically - this is same for both tools. Redirect inside the > application unfortunately can't hide the URL of the application. And I still think it is more important to protect user data which might be in URL (eg. SQL query, this is case for both Adminer and phpMyAdmin). Your solution simply fails in this case. > Your > today's solution is not perfect (there is a needless redirect under > HTTPS) but it is a progress. As the RFC says SHOULD NOT and not MUST NOT, so it depends on the client: > Clients SHOULD NOT include a Referer header field in a > (non-secure) HTTP request if the referring page was transferred with > a secure protocol. It might indeed look needless with current clients, but it is safe. > I'm really glad that my comparison lead to improving phpMyAdmin somehow: > http://j.mp/ic9zPq phpMyAdmin is improving daily even without your comparison :-). -- Michal Čihař | http://cihar.com | http://phpmyadmin.cz ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
|
|
Re: Compare phpMyAdmin with Adminer
by Michal Čihař
::
Rate this Message:
Hi
Dne Sat, 29 Jan 2011 01:20:03 +0100 Jakub Vrána <jakub@...> napsal(a): > >> Current solution does not prevent the same-domain ClickJacking because > >> if you access for example http://localhost/phpMyAdmin/?db=cds (without > >> token) then phpMyAdmin still happily works. > > > Yes it does work intentionally. But that still pretty much lowers > > risk. > > I really don't see how this lowers the risk. phpMyAdmin is vulnerable > to same-domain ClickJacking, that's my point. If you allow $cfg['AllowThirdPartyFraming'] then yes, but it's your choice. -- Michal Čihař | http://cihar.com | http://blog.cihar.com ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users |
|
|
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
|
signature.asc (853 bytes) | Free embeddable forum powered by Nabble | Forum Help |
