bradymiller wrote on Sunday, June 22, 2014:
Hi,
Any thoughts on removing embedded phpmyadmin from OpenEMR? From a security standpoint, the project has not had enough resources to keep this tool updated.
-brady
OpenEMR
bradymiller wrote on Sunday, June 22, 2014:
Hi,
Any thoughts on removing embedded phpmyadmin from OpenEMR? From a security standpoint, the project has not had enough resources to keep this tool updated.
-brady
OpenEMR
sunsetsystems wrote on Monday, June 23, 2014:
I think removing it is best.
robertovasquez wrote on Monday, June 23, 2014:
phpadmin is simple to install from it’s website and it is updated. I do not see a reason to keep it embedded in openemr
yehster wrote on Monday, June 23, 2014:
I suspect that fsgl and Pimm will miss having PhpMyAdmin as part of the pre-installed packaged on the demo servers.
The primary benefit of it being part of the package is the ability to run arbitrary SQL when the only access is available through a browser… (e.g. hosted environments…)
The workaround would be to install PHPMyAdmin separately when you rebuild your demo servers to provide direct database access to test users should you deem it worthy of your effort.
From a security standpoint, the project will be better off without it in our source tree, but there are some disadvantages.
iankarlwallace wrote on Monday, June 23, 2014:
I agree that from a security perspective the code set is better off with
phpmyadmin removed but I do agree with Kevin. We should keep it installed
on the demos to allow for running SQL/debugging. Benefit for installing
the distro is that you get the security updates for free.
Brady - Thanks for starting this discussion - it was on my list of things
to do.
I would suggest we remove from phpmyadmin in version 4.1.3.
ian
On Sun, Jun 22, 2014 at 7:03 PM, Kevin Yeh yehster@users.sf.net wrote:
I suspect that fsgl and Pimm will miss having PhpMyAdmin as part of the
pre-installed packaged on the demo servers.The primary benefit of it being part of the package is the ability to run
arbitrary SQL when the only access is available through a browser… (e.g.
hosted environments…)The workaround would be to install PHPMyAdmin separately when you rebuild
your demo servers to provide direct database access to test users should
you deem it worthy of your effort.From a security standpoint, the project will be better off without it in
our source tree, but there are some disadvantages.phpmyadmin
https://sourceforge.net/p/openemr/discussion/202506/thread/5eb111fd/?limit=25#40f2Sent from sourceforge.net because you indicated interest in
OpenEMR / Discussion / DevelopersTo unsubscribe from further messages, please visit
SourceForge.net: Log In to SourceForge.net
–
Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732
blankev wrote on Monday, June 23, 2014:
You are correct in the statement that I, on a personal term speaking, yes I will miss phpMyAdmin terribly.
What does it involve to get the version for personal use with the optional advise to install PhpMyAdmin afterwards and let it work flawless with OpenEMR. If there is a clear cut way to go and if there is a WIKI page How to add phpMyAdmin and let it work with OpenEMR, there is no reason to include. If it is almost impossible for non programmers to get phpMyAdmin to work with OpenEMR I vote for inclusion and get a message of “SECURITY is at stake” in place.
Windows XP is insecure they say, but with some measures the insecurity is acceptable (no direct Internet connections etc…)
Windows 7 is even better
Windows 8 is so secure … till when?
Linux and Ubuntu and derivates like Mint17, are still considered rather safe.
Conclusion: If there is a possibility to learn the quick and easy way how to add phpMyAdmin, leave it out.
But the option of activation of phpMyAdmin through Globals, to enable phpMyAdmin would even be better (now the default is enabled, and the default could be NOT-enabled). Would this option make phpMyAdmin more acceptable to include and safe? If the answer is YES…, we could make phpMyAdmin as the Default in but inactivated, keep phpmyAdmin not activated unless the user takes action, with some warning of the consequences.
blankev wrote on Monday, June 23, 2014:
The idea that I use phpMyadmin only for SQL is incorrect. I mostly use it for backup of CSV files for different tables and upload CSV files.
Sometimes to correct wrong input of a USER.
blankev wrote on Monday, June 23, 2014:
If it is simple, where can I find a tutorial WIKI on HOWTO install for OpenEMR? I want to see it with my own eyes it is so simple? I remember once, I tried to do an upgrade with terrible results, but that was many versions ago.
fr4nkie wrote on Monday, June 23, 2014:
Security should be top priority over ease of use when it comes to protected health information. I vote for removal.
fsgl wrote on Monday, June 23, 2014:
Into the mix in the discussion about eliminating phpMyAdmin, should be added didactics. Many new users come to understand the form and functions of the database through interactions with phpMyAdmin on the various Demo’s. Removing it would be the removal of a very good teaching tool.
My set of Ophthalmology forms are ready available with a phpMyAdmin import. Unlike the Contributed Forms, they cannot be copied and pasted into interface/forms and registered. To-date the Wiki page has been viewed 3,900 times.
I don’t think that security is at the core of the issue, merely a coincidental one. There are other aspects of OpenEMR which are insecure, but doubtlessly there will be no talk of removal, let alone removal itself. If phpMyAdmin is insecure as a part of the package, how is it more secure when installed separately by the user?
If Brady does not have the time to maintain it; of course, we understand. As he is apt to say, he is only a volunteer. Being project administrator is more than a little hobby like stamp collecting. (Thanks, Kevin for what the Brits call “fellow feelings”.) We are DIY-ers; therefore, we will manage.
mdsupport wrote on Monday, June 23, 2014:
Bundling phpMyAdmin with OpenEMR is an overkill for a simple and native database administration requirement. If phpMyAdmin is replaced by a single text-area form that passes user input as a SQL query using standard OpenEMR function, it will let expert users or administrators debug and fix issues while their actions get logged.
System admins with database management expertise don’t need guidance on using phyMyAdmin or other mySQL admin tools to manage OpenEMR database.
cmswest wrote on Monday, June 23, 2014:
most certainly we should strive for security and removing phpMyAdmin is important for the work that is being done by iankarlwallace, debian package
maybe a new wiki on how to install phpmyadmin separately? here’s digital ocean’s install guide
blankev wrote on Monday, June 23, 2014:
This looks promising. I will look into it and see if I can manage, If I can, most diversified USERS of OpenEMR will have no problem.
While I look into I will make notes to have a WIKI in place when it is lost for the Distros of OpenEMR.
fsgl wrote on Monday, June 23, 2014:
If one of the goals of this project is wide acceptance by the medical community, any tool that promotes that goal is worth preserving, if the costs are not too great to bear.
PhpMyAdmin has little database management value for the typical developer. Kevin advised us long ago that there are better tools. The focus, however, should not be solely on developers.
If we are considering tools which illustrate to the medical community the value of OpenEMR and which would ultimately lead to its greater acceptance by physicians, then we should not be in great haste to jettison phpMyAdmin. Concentrating on short term gains and losing sight of long term goals may prove to be myopic and unwise.
iankarlwallace wrote on Monday, June 23, 2014:
Thanks to everyone for giving some perspective to this question. I am torn over this issue personally as I think the project has included phpmyadmin in the code set for a long time and stripping it out might confuse some - a la “Where’s myphpadmin it’s always been there for me!”
There is a middle ground of keeping what we have now and I will create the Debian package to strip it out. Will be a bit confusing if people mix and match the packages (Brady’s deb package and then one from a mirror - we might want to put that the two Conflict and shouldn’t be installed together).
I brought up the question b/c Debian (or ubuntu or LM) all have phpmyadmin packaged and it appeared to be redundant. I realize that lots of people use Windows as well and it’s convenient to have it all in one install.
Sure having code in our source tree that’s from another project that isn’t regularly updated presents security risks b/c we don’t get fixes/updates. In my mind that’s a plus to removing but not the main reason - we are duplicating code and don’t need to.
I have already stripped phpmyadmin from the debian-med version.
Ian
Ian Wallace 303-681-5732
On Jun 23, 2014, at 9:24 AM, “fsgl” fsgl@users.sf.net wrote:
If one of the goals of this project is wide acceptance by the medical community, any tool that promotes that goal is worth preserving, if the costs are not too great to bear.
PhpMyAdmin has little database management value for the typical developer. Kevin advised us long ago that there are better tools. The focus, however, should be solely on developers.
If we are considering tools which illustrate to the medical community the value of OpenEMR and which would ultimately lead to its greater acceptance by physicians, then we should not be in great haste to jettison phpMyAdmin. Concentrating on short term gains and losing sight of long term goals may prove to be myopic.
phpmyadmin
Sent from sourceforge.net because you indicated interest in OpenEMR / Discussion / Developers
To unsubscribe from further messages, please visit SourceForge.net: Log In to SourceForge.net
fsgl wrote on Monday, June 23, 2014:
Ian,
Please clarify,
If Brady builds an Ubuntu Demo with LAMP, phpMyAdmin is included in the LAMP package?
Is this thread about OpenEMR package downloads or about the Demo’s?
If the answer to the first question is “yes” and the answer to the second is “downloads”, that would help to settle a great deal of my concerns and some of your angst.
If phpMyAdmin can continue to be a teaching tool in the Demo’s, that would be great. Adding phpMyAdmin is a 4 step process which can be handled by most Linux neophytes.
fsgl wrote on Monday, June 23, 2014:
Well, I just triggered the spambot alert again with the above post.
Let’s try again without the offending link.
Ian,
Please clarify,
If Brady builds an Ubuntu Demo with LAMP, is phpMyAdmin part of the LAMP package?
Is this thread about the OpenEMR package downloads or the Demo’s?
If the answers are “yes” and “downloads”, my concerns and some of your angst will be mitigated.
If the Demo’s continue to have this teaching aid, it will be great. We, Linux neophytes, will not have a difficult time adding a missing phpMyAdmin because I just learned it’s a 4 step process.
iankarlwallace wrote on Tuesday, June 24, 2014:
Fsgl -
Ian Wallace 303-681-5732
On Jun 23, 2014, at 4:31 PM, “fsgl” fsgl@users.sf.net wrote:
Well, I just triggered the spambot alert again with the above post.
Let’s try again without the offending link.
Ian,
Please clarify,
If Brady builds an Ubuntu Demo with LAMP, is phpMyAdmin part of the LAMP package?
I guess there are really two separate things. Brady builds a package that can be installed/uninstalled via dpkg on the command line. That’s the OpenEMR package.
We can add phpmyadmin to the demo servers outside of the actual OpenEMR package that allow it to communicate with MySQL and access the OpenEMR database. In the end no decrease in functionality for the end user it’s just that Brady no longer has to include the phpmyadmin source in the distro. The first time around well need to configure phpmyadmin correctly but after that things shouldn’t change.
The hardest part would probably be that the URL to access would change to just ‘phpmyadmin’ instead of ‘openemr/phpmyadmin’.
Is this thread about the OpenEMR package downloads or the Demo’s?
In the end it’s really about neither downloads or demos. This new package would show up in Debian with commands like apt-get, synaptic, etc. Brady could distribute a separate package but the hope we be that e wouldn’t have to. Reducing his work load and providing for a larger/easier distribution network.
If the answers are “yes” and “downloads”, my concerns and some of your angst will be mitigated.
If the Demo’s continue to have this teaching aid, it will be great. We, Linux neophytes, will not have a difficult time adding a missing phpMyAdmin because I just learned it’s a 4 step process.
I would always advocate that people install some tool to help with the admin of the DB (that is unless your are a command line wizard).
Not a hard install or configuration but still an extra step.
phpmyadmin
Sent from sourceforge.net because you indicated interest in OpenEMR / Discussion / Developers
To unsubscribe from further messages, please visit SourceForge.net: Log In to SourceForge.net
blankev wrote on Tuesday, June 24, 2014:
Dear friend and thinker fsgl,
don’t forget to make notes to include in the new WIKI pages of phpMyAdmin. Even four steps can be hard for some of us. But if it is so easy to install, why would it be different if phpmyadmin is a separate web page and put all particulars in the separate WIKI or website to change OpenEMR tables? Is this not an open request for intrusion, if we have to tell the active USERS how to use phpMyAdmin…
fsgl wrote on Tuesday, June 24, 2014:
Ian,
PhpMyAdmin is part of the package deal of XAMPP for Windows, that takes care of the majority of users. LAMP has it. The Demo’s will have it. Only the future Ubuntu-Debian package will not have it.
For most of this thread, I got the impression phpMyAdmin will be uncoupled from all copies of OpenEMR. Incorrect understanding on my part.
The mountain turned out to be a molehill.
Equilibrium has been restored to this little universe.
Pimm,
The first of my duplicate posts has been deemed not to be a spambot, so you can click the link and see that most beginners will be able to install it.