Why I lose interest in some projects.

Friday, 18 February 2011

Some projects have historically sucked; they've been incomplete, they've been hard to use, they've had poor documentation, or they've had regular security issues.

Over time projects that started off a little poorly can, and often do, improve. But their reputation is usually a long time in improving.

For me? Personally? PHPMyAdmin is a security nightmare. So while it is nice to read about it gaining the ability to be themed, and even receiving submissiosn from users (a rare thing for projects to receive such external contributions) I just find it hard to care.

I see PHPMyAdmin written in a blog, in a news article, or on a users machine and I just think :

  • "PHPMyAdmin? That's that thing that has security problems."

Harsh. Unfair. Possibly no longer true. But I do tend to stick to such judgements, and I'm sure I'm not alone.

Ideally people wouldn't be dogmatic, would be open-minded about re-evaluation situations. In practise I'm probably not such a unique little snowflake, and there are probably a great many people to this day who maintain views which that are based on historical situations than the current-day reality:

  • Java is slow and verbose.
  • Perl is line-noise.
  • Sendmail is an insecure mess.
  • ...

Anyway. PHPMyAdmin? I'm sorry for singling you out, even with your fancy themes, language translations, and other modern updates. It's just a name that conjours deamons for me. Though I'm sure there are a great number of people who love it to pieces.

ObQuote: "You don't want to know my name. I don't want to know your name. " - Spartacus

| 7 comments.

 

Comments On This Entry

[gravitar] Drizzt

Submitted at 09:09:21 on 19 february 2011

I'd sooner cancel a contract before installing PMA on any of my servers. And judging from the scans I see in the logs, where script kiddies are trying to find that PMA instance, I'd say PMA is still a frigging mess.

Just remembering how often I read PMA had SQL injection issues gives me shivers. It's a DB management application and they still didn't get the DB part right.

[gravitar] Iñigo

Submitted at 09:50:38 on 19 february 2011

Not only the app itself... but the developers practice:

a) I can write here.
b) I download phpmyadmin where I can write.
c) I do not talk to sysadmin, because she makes me think.
d) I go to the login form, using plain HTTP and database credentials, probably from a wifi.
e) I let the downloaded version, running for year, without upgrades.

So if you let people write on your servers, best practice as sysadmin is, like kiddies, to run audit tools over your writable server.

Greetings

[author] Steve Kemp

Submitted at 10:25:43 on 19 february 2011

I should probably say my servers don't run PHP at all; to avoid issues with applications which have traditionally been problematic.

(Which is software like wordpress, phpmyadmin, etc.)

[gravitar] Adrian von Bidder

Submitted at 12:37:45 on 19 february 2011

Sendmail is an insecure mess.

While still a mess, probably not an insecure one per se. But when the primary author recommends to use competing product (Postfix) for new installations, .... — see LWN

[gravitar] Debianero

Submitted at 20:52:43 on 19 february 2011

I don't use PMA but for those who want to use it the best practice is make PMA listen to localhost only and then use ssh tunneling to connect to it.

[gravitar] erich

Submitted at 07:24:07 on 21 february 2011

I apply the same prejudice to ANY PHP application.

I've just seen too many PHP apps that are pretty and fancy and powerful on the outside but an ugly mess on the inside. E.g. I've seen a pretty webmail interface keep all passwords in plaintext forever in a "session" table on a SQL server...
I've seen "password protection" on blog posts being trivial to bypass. Etc.

The only language where average code quality is worse than in PHP probably is JavaScript...

[gravitar] mirabilos

Submitted at 12:36:49 on 21 february 2011

Well sendmail;s probably still a mess, not that much any
more (except certain packaging of it), but the insecure
part hasn't been true for a few years. (Actually, the
other way round.)

I sort of agree on the rest, though

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags