Limit access to some table/DB

Hi.

And thanks using my plugin!

Yes, you can do it by using JS and php.

PHP in order to wp_die() if user must have not access,

and JS to hide the other tables.

PHP, using the action pexlechris_adminer_before_adminer_loads in order to wp_die if not-allowed-tables’ names exist somewhere in URL.

And JS you need to put it in the following action:

add_action('pexlechris_adminer_head', function(){
   ?>
   <script nonce="<?php echo esc_attr( get_nonce() )?>"> // get_nonce is an adminer function
      //put your JS code here
   </script>
   <?php
});

If you don’t know how to do it, you need to pay a developer (or me ?? ), in order to write the appropriate code to achieve your goal.

If you have any question, feel free to ask.
Thanks.

• This reply was modified 2 years, 1 month ago by Pexle Chris. Reason: I forgottent the php tags in the codeblock

Thanks for the prompt response!
I was thinking to use CSS rather than JS to hide the unwanted table.

With JS is a bit more secure than CSS, but not so much if the use has it disabled.

I was looking for a more “risk free” solution.
Isn’t possible with an action to remove part of the code or add some “if” in a loop so to hide the lines where the table name doesn’t contain some word?

Moreover, as in my case I will need to edit a DB different from the one used by WP, I have to set
define('PEXLECHRIS_ADMINER_HAVE_ACCESS_ONLY_IN_WP_DB', false);
But is there a way to have the adminer page opened directly on the correct DB page as I click on “Open Adminer in a new tab”.
Somthing like

https://mysite.com/wp-adminer?username=&db=mydbname
rather than
https://mysite.com/wp-adminer?username=
(I don’t want to edit the plugin folder files to avoid problems with updates)
Is it possible with an action too?

Another question as I never used adminer before… Will it manage huge amount of data?
I could have a table with some hundred thousand of lines. I could launch a search for something like half of the data and than click on “delete” for all of them, in one click. Will it be possible or do I risk some timeout?

Thanks!
Nadia

I suggest JS instead of CSS because there are not appropriate classes in the outer html elements, only in the inners and you can not “catch” them with CSS3.

Isn’t possible with an action to remove part of the code. If you know adminer’s API you can try it. I cannot help you with this ??

You can do the redirect in the hook pexlechris_adminer_before_adminer_loads with priority less than 10:

add_action('pexlechris_adminer_before_adminer_loads', function(){
   wp_redirect();
   exit;
}, 9);

Ok thanks,
actually it is just a test to find the right tools for a new project. If it will be realized and if I’ll need more deep customization I’ll contact you for some collaborations.
Thanks
Nadia

Great!!

I also forget to answer about Adminer’s performance.

Yew, Adminer can manage huge databases!
More info and a comparison with phpmyadmin you can find here: https://www.adminer.org/en/phpmyadmin/

great, thanks!

@maipiusenza The only way to limit user access to specific tables and databases is with MySQL’s/MariaDB’s own permission system. Trying to block Adminer URLs containing table names is no substitute because there are many ways to read and modify data within Adminer, the most obvious being the SQL command page. You might need a stand-alone copy of Adminer to do what you want, but this could invite brute-force attacks so use very strong passwords.

@pexlechris I don’t know why you’re telling your users it’s possible.

SQL command page puts the SQL command in a get parameter named sql in the URL, so you can catch the table’s name, also in the case of command page ?? !

@wallfur, in my specific case, the problem is the mistake edit, not hacking risks from that user.
The user that will access the DB is the owner of the site, but he should only edit some table (import large amount of data by a CSV or delete some of that data).
So if he will not “see” the other tables that could delete for a mistake, it is ok.
But thanks for the clarification.

@maipiusenza I’m still of the opinion that a separate user is better, because then MySQL automatically limits what is available to the user (and thus in Adminer) without any program code to change the behaviour of Adminer or a plugin. As long as you’re aware of that, then do whatever works for you.

@pexlechris That’s just another band-aid. Raw SQL is also allowed in the Select, Insert and Update pages. Whilst your advice may work in this particular instance, they are the only person reading this, so it’s best not to spread false information about basic database access control.