EXT:phpMyAdmin – Alternatives for TYPO3

typo3worx_pma-alternatives_blog
Last week again a security update for the TYPO3 extension „phpMyAdmin“ hit the public. This is one of the extensions, which are mostly updated due to security reasons. There are several secure alternatives, which I will show you in this article.

First of all, I want to thank the author, Andreas Beutel, of the TYPO3 extension „phpMyAdmin“ for his continuos work on this extension, in order to keep it save. It is (probably)  a really annoying  job to keep the extension up to date. In most (all?) cases it is not a problem of the the TYPO3 extension itself, but of the included third party software „phpMyAdmin“. Thanks again for your work, Andreas!
As I already wrote, the trigger for this blog post was the last security bulletin for the TYPO3 extension „phpMyAdmin“. The following arguments are not limited to EXT:phpMyAdmin, but are basically also valid for other extensions offering (nearly) the same functionality like „t3adminer“.

Reasons not to use it

Complete DB access for TYPO3 administrators

One of the most reasons to install such a TYPO3 extension is, that you just want to check, whether some database entries are correct. So far, so good. But these extensions enable all TYPO3 admins to manipulate each and every database entry. With these permissions they can f*ck up your installation easily.
Additionally they have access to private data, may it be encrypted or not. This makes it much easier to compromise the data. The third reason is, that the permission to access the database is not limited to one or more dedicated TYPO3 users, but for all TYPO3 BE users with administration permission. Probably not all of them have the same expertise and the same carefulness with the data.

Many security updates 

Many security updates are basically not bad. This is a good thing, because it is a sign for a very active security team of the software. In case of a TYPO3 extension providing third party code, like phpMyAdmin, there is not only the provider of the third party involved, but also the TYPO3 extension author and the TYPO3 security team. Each of the three parties need their time to respond to the issue. This depends massively on their workload and motivation. My conclusion is that is better the less parties are envolved. The time for providing a fix is much less.

Temporary usage

One of the most arguments is „Hmmm … I’m just using it temporarily“. Yes, this is a very valid answer and a valuable reason. But be honest to yourself: How often did you forget to remove it afterwards? If you do not have a solution like „caretaker“ on this instance … you will forget it forever, won’t you? IMHO the risk to have such a time bomb (at least) in one the installations is far too high.

Alternatives

All mentioned alternatives have one advantage in common: Persons, having direct access to the database, can be selected further … not all TYPO3 admins get plain direct access to the database with all privileges.

Own phpMyAdmin Installation

I think, this is the weakest of all recommendations in this list. It is up to the administrator to make the DB access via phpMyAdmin safe and secure. The difference between the TYPO3 extension and this solution is, that the pMA admin is solely responsible for the installation and the software. An update for phpMyAdmin is possible without action from the extension owner and the TYPO3 security team.

Providers web-based DB-Tool

Most (all?) hosting providers offer a graphical user interface for database access, mostly based on phpMyAdmin. Hosting providers do have an intrinsic motivation to keep their database tool safe. If they don’t do it, many thousand databases would be available to attackers instantly.

GUI clients

A third possibility for accessing mysql databases are graphical native clients. For every operating systems there are some solutions available. Here is a list of available products. Probably there are more available … you are welcome to add it in the comment section.
  • supports MySQL
  • available for MacOS X
  • Licensing Model: free (MIT license)
  • supports MySQL
  • available for serveral OS (MacOS, Linux, MS Windows)
  • Licensing Model: free (GPL)
  • supports MySQL, MSSQL and PostgreSQL
  • available for MS Windows (using Wine also for MacOS and Linux)
  • Licensing Model: free (GPL)
  • supports MySQL
  • available for MS Windows
  • Licensing Model: Freeware
  • supports several databases (mySQL, mariaDB, Oracle, MSSQL, PostgreSQL, …)
  • available for several OS (Windows, MAC, Linux, iOS)
  • other DB Tools available (Data-Modeler, …)
  • Licensing Model: commercial
  • supports MySQL and MariaDB
  • available for MS Windows
  • Licensing Model: free (Express edition), commercial (Standard and Professional editon)

ssh & commandline mysql

Last but not least, it is possible to access the database by using the command line and fire all those nifty commands through the mysql command line client and ssh. If nothing else works, this can be a really big help, but it is not as comfortable as the other solutions.

Conclusion

There are many solutions to access MySQL out “in the wild”. So there is IMHO no need to install and use any TYPO3 extension, which provide database access.

5 Comments

  1. I would like to add DBeaver to the list of Database Clients.
    http://dbeaver.jkiss.org/

    Not only it can handle also noSQL Databases, it can also run on Mac, Linux, Windows. It replaced (I use Windows as my host OS) Heidi SQL, since it has mor features such as: Database Multiselection (for example truncating all realrul cache tables). It may not look as good as some of the other Tools but it works perfectly after getting used to. 🙂

    Reply
  2. It is worth noting that even if MySQL is not directly accessible from the outside an SSH tunnel often works (and may be preferable in other cases, too). Some tools, such as MySQL Workbench, even support setting up a tunnel natively.

    MariaDB can be used for most purposes with many tools that officially only support MySQL (such as MySQL Workbench). Two noteworthy mentions for graphical clients are:

    SQuirreL SQL (http://squirrel-sql.sourceforge.net/): Portable, free, works for most SQL RDBMS (with JDBC connectors).
    JetBrains DataGrip (formerly 0xDBE, https://www.jetbrains.com/datagrip/): Somewhat portable, commercial, works for many SQL RDBMS. Supports refactorings, but is quite a young product; hopefully gains a few more features fast. Possibly a good option if you already work with PhpStorm, WebStorm or IntelliJ IDEA.

    Apart from that the security implications of running phpMyAdmin over HTTPS and with HTTP-based password protection are not too bad.

    Reply
  3. You are totally right. The extension is very nice and helpful, but could ruin your day very quickly 🙂

    For many years I am using MySQL Workbench and HeidiSQL now. They are both great tools to access the db in their own ways. As the name suggests  MySQL Workbench is a workbench with many tools and options, whereas on the other hand HeidiSQL is a simple tool with easy access to your db.

    Cheers from Berlin!

     

    Mat

     

    Reply

Leave a Comment.