Option for Drooping Embedded PhpMyAdmin

tmccormi wrote on Saturday, June 29, 2013:

I have created a branch for review:

GitHub - tmccormi/openemr at drop-phpmyadmin

This has 4 key things

  1. phpmyadmin is removed entirely
  2. A global option is added to allow the user to point to a URL where phpmyadmin or OTHER tool of choice is available
  3. selecting Administration->Other->Database launches that tool in a separate TAB or browser window. No login data is passed, the admin user must know the database user and password or the root mysql user and password (as they should).
  4. I added a FAQ document on how to install phpMyadmin separately on Ubuntu

This options allows for choice and better security overall. I could choose to point that link to a Report generator / Ad Hoc Query tool instead, for instance.

As a side note I added functions to left_nav.php to allow for a menu type that does not assume the url is relative to the openEMR directory.

–Tony

bradymiller wrote on Saturday, June 29, 2013:

Hi Tony,

See my comments in other thread.

Also, for everybody’s sanity, make the remove phpmyadmin it’s own commit.

thanks,
-brady
OpenEMR

yehster wrote on Wednesday, July 03, 2013:

It looks like the only changes in OpenEMR code itself are in left_nav(to update the menu item) and in globals(to specify the location), all the other changes are 1. documentation (yeah!) and 2. Deletions of PhpMyadmin.

deschel wrote on Thursday, July 04, 2013:

Why are we removing features?

Brady insisted that I not remove any features in my improvement to demographics, even if it makes my improvement significantly more complicated.

Now, he is going to allow removal of a major feature.

I usually use a separately installed version of PHPMyAdmin because I like to use the most up to date version. However, if I am lazy, I still use the embedded PHPMyAdmin, and it does what it needs to do.

Some people may just need basics, and the embedded version should be adequate for them. My guess is that some people might not have the technical ability to install PHPMyAdmin. So, you will be hurting these people.

Why not spend your time to update the embedded PHPMyAdmin to the most current version? This should only take a couple of hours of work at most, right?

You can still create the option for pointing to an external version.

I don’t see a reason to remove the embedded version and penalize those who don’t want to deal with installing the “newest” thing.

Its not like the embedded PHPMyAdmin is taking up a huge amount of space or is a big drain on resources.

David Eschelbacher MD

kodusote wrote on Thursday, July 04, 2013:

I fully agree with David.

Kayode

tmccormi wrote on Thursday, July 04, 2013:

Yes. Simple. I don’t think it is our job to try and document all the
possible ways that someone should ‘secure’, their site. My strong feeling
is that if you are using OpenEMR on a network accessible to the internet
then you better know what you are doing or consult a pro.
On Jul 3, 2013 3:26 AM, “Kevin Yeh” yehster@users.sf.net wrote:

It looks like the only changes in OpenEMR code itself are in left_nav(to
update the menu item) and in globals(to specify the location), all the
other changes are 1. documentation (yeah!) and 2. Deletions of PhpMyadmin.

Option for Drooping Embedded PhpMyAdminhttps://sourceforge.net/p/openemr/discussion/202506/thread/8ce7b5fc/?limit=25#c04c

Sent from sourceforge.net because you indicated interest in
OpenEMR / Discussion / Developers

To unsubscribe from further messages, please visit
SourceForge.net: Log In to SourceForge.net

yehster wrote on Thursday, July 04, 2013:

The debate about removing PHPMyAdmin from the code base has been going on for years.

One of the intentions in removing it from the OpenEMR package and requiring a separate installation process is that it absolves the five OpenEMR integration developers who can make changes to the official code base of the responsibility for trying to keep PhpMyAdmin up to date.

The issue with the version embedded in 4.1.1 is that it has a large number of unpatched vulnerabilities. Even the updated version in the development tree already has a serious vulnerability:
http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php

Another intention of Tony’s changes is to simplify upgrading the “embedded” version, by documenting the installation process and not shipping with a version that is likely to be out of date.

The impact to knowledgeable OpenEMR users would be minimal. It’s means spending an extra 10 minutes or so separately downloading and installing PhpMyAdmin for an OpenEMR package that didn’t come with PhpMyAdmin pre-installed.

One of my hopes is that by making said users do the install themselves, they might think to take it upon themselves to keep PhpMyAdmin up-to-date for any security patches.

As Tony mentioned, it is impractical to educate the community about all potential security threats.

From a number of supporters standpoint, I recognize that Tony and I are on the losing side of this issue, but we both feel it is our responsibility to continue to express our concerns.

deschel wrote on Thursday, July 04, 2013:

The security vulnerability is fixed by upgrading the embedded version. Its not like it needs to be upgraded often. Its been years since its been upgraded.

Can someone upgrade it? Once every few years would be nice.

I can put it on my to do list, which is pretty long. But it would probably be much easier for someone more familiar with how to do it.

David

bradymiller wrote on Thursday, July 04, 2013:

Hi David,

To not reinvent the wheel (discussion and code, which has already been upgraded…), see these two posts/threads for more details:
http://sourceforge.net/p/openemr/discussion/202506/thread/a415cf97/#2d46
http://sourceforge.net/p/openemr/discussion/202506/thread/8dd32916/#1173

-brady

bradymiller wrote on Saturday, July 06, 2013:

Hi,

Here’s documentation regarding the most recent version of phpmyadmin that was embedded into OpenEMR in addition to plan to hopefully bring in phpmyadmin security fixes in the future in addition to a “To Be or Not To Be” section summarizing the current state of phpmyadmin affairs (note that I fall on the practical side at this point):
http://www.open-emr.org/wiki/index.php/PhpMyAdmin#For_versions_4.1.2_and_above

Tony’s code above is something that can be considered for 4.1.3 or beyond. I have not been able to review Tony’s code because my browser has problems when loading huge commits on github (this is why I have suggested placing the phpmyadmin removal step in it’s own commit to separate all the noise from the code).

-brady
OpenEMR

aethelwulffe wrote on Tuesday, July 09, 2013:

One advantage of having embedded PHPMyAdmin: config file that restricts you to just accessing the OpenEMR db. Yeah, there are other ways of doing this. Sure. Basically there is the baby/bathwater issue here.
The only “real” solution is the dependency/resource management and install configuration option route. That is a big deal, but let’s face it, there is no getting around this if you want your cake and eat it too then be able to effectively clean the chocolate off the baby. When a loose cannon flogs a dead horse, there will be the devil to pay.

By the way, how do go go about Drooping software? Are you suggesting a Salvadore Dali themed interface? I could go for that. Just so long as Drupal is not involved.

tmccormi wrote on Wednesday, July 10, 2013:

Brady,
At this moment I don’t have time to split the commits for your browser issue, but the attached diff.txt file has the relevant changes for your convenience.

–Tony

tmccormi wrote on Wednesday, July 10, 2013:

Also, Here’s a thought. What if we just provide a “embedded phpmyadmin” patch file? Then if people want the embedded version they can just unzip it in place and change the globals to point to it, just like old times?

That modified fork of phymyadmin could be in it’s very own “component” repository and, therefore start a new trend of optional add-ons that can be maintained by those that want them…

More like the rest of the well designed FOSS projects and SAS offerings out there. Could eventually lead to a “find add-ons and install” tool set.

–Tony

bradymiller wrote on Wednesday, July 10, 2013:

Here’s a thought:
To remove it after an installation, select the phpmyadmin directory and move it to the recycle bin. Then old times will keep on happening :slight_smile:

Regarding “find add-ons and install” tool set, I suppose it’s ok to dream :slight_smile:
Speaking of modules and add ons, will hopefully have some time after the release to review/test Z&H’s module loader and modules.

As an aside, got my browser to load up your stuff (I just can’t touch the browser for a couple minutes while it is loading), so will check it out (likely not formally until after the release).

-brady
OpenEMR

unclenate wrote on Wednesday, July 10, 2013:

Yes, please :slight_smile:

On Tue, Jul 9, 2013 at 10:38 PM, Tony McCormick tmccormi@users.sf.netwrote:

Also, Here’s a thought. What if we just provide a “embedded phpmyadmin”
patch file? Then if people want the embedded version they can just unzip it
in place and change the globals to point to it, just like old times?

That modified fork of phymyadmin could be in it’s very own “component”
repository and, therefore start a new trend of optional add-ons that can be
maintained by those that want them…

More like the rest of the well designed FOSS projects and SAS offerings
out there. Could eventually lead to a “find add-ons and install” tool set.

–Tony

Option for Drooping Embedded PhpMyAdminhttps://sourceforge.net/p/openemr/discussion/202506/thread/8ce7b5fc/?limit=25#e99a

Sent from sourceforge.net because you indicated interest in
OpenEMR / Discussion / Developers

To unsubscribe from further messages, please visit
SourceForge.net: Log In to SourceForge.net

tmccormi wrote on Wednesday, July 10, 2013:

The point is to reduce the code bloat in the core. But, obviously, we are going nowhere on this discussion.
Tony

tmccormi wrote on Wednesday, July 10, 2013:

The point is to reduce the code bloat in the core. But, obviously, we are going nowhere on this discussion.
Tony

aethelwulffe wrote on Wednesday, July 10, 2013:

No, Mr. reply by-email doubleposting never see edits,
I think the PHPmyAdmin patch file is a perfectly wonderful compromise. Keep the two hunks of junk separate from each other. The basic approach would be good as a standard to add other embedded features of modules in an unsophisticated fashion as well. Dropping it entirely is just not a good option.
“Hello, this is Mary-Jo User from Life and Death Emergency Services. Do you guys support OpenEMR? Great! See, we are in the middle of some ad-hoc brain surgery, and we need some help with our database here behind our firewall and on a network we know nothing about. PHPMyAdmin?..err no…”