Adminer is so refreshing after using phpMyAdmin, which seems to get slower and more bloated with every release. I was very impressed and plan to use Adminer and donate.
However, after a few minutes of testing it out I noticed it had external dependencies - it even injects remote javascript! I then went back to your website and looked around to see if this is mentioned anywhere, or a simple way to just include the files yourself locally... nope. Maybe a plugin... nope. But I did see you mention that Adminer is more secure than phpMyAdmin! Excuse me, but aside from a version check, I don't see phpMyAdmin loading untrusted third-party javascript onto a page with potentially sensitive information.
I find this all terribly misleading. The whole "Database management in a single php file" is kinda a gimmick, and really isn't a virtue. What's the harm in including all dependencies in the download? Is one file so much better than three files and a folder?
I know the script can be altered to solve this problem and include the files locally, but the point is you are falsely promoting this as a secure drop-in solution with no mention of this security vulnerability. How many people might use this in a business environment and with a database with sensitive information? If your adminer.org server is hacked to serve malicious javascript, game over. Any data then displayed via Adminer is there for the taking.
I hope you choose to take a more secure by default approach in the future with zero external dependencies.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for the report. Git version of Adminer now includes the syntax highlighter locally. Version checker now uses iframe instead of script. So no external JavaScript is executed anymore.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Adminer is so refreshing after using phpMyAdmin, which seems to get slower and more bloated with every release. I was very impressed and plan to use Adminer and donate.
However, after a few minutes of testing it out I noticed it had external dependencies - it even injects remote javascript! I then went back to your website and looked around to see if this is mentioned anywhere, or a simple way to just include the files yourself locally... nope. Maybe a plugin... nope. But I did see you mention that Adminer is more secure than phpMyAdmin! Excuse me, but aside from a version check, I don't see phpMyAdmin loading untrusted third-party javascript onto a page with potentially sensitive information.
I find this all terribly misleading. The whole "Database management in a single php file" is kinda a gimmick, and really isn't a virtue. What's the harm in including all dependencies in the download? Is one file so much better than three files and a folder?
+-adminer.php
+-includes/
| +-all_javascript.js
| +-all_css.css
I know the script can be altered to solve this problem and include the files locally, but the point is you are falsely promoting this as a secure drop-in solution with no mention of this security vulnerability. How many people might use this in a business environment and with a database with sensitive information? If your adminer.org server is hacked to serve malicious javascript, game over. Any data then displayed via Adminer is there for the taking.
I hope you choose to take a more secure by default approach in the future with zero external dependencies.
Thank you for the report. Git version of Adminer now includes the syntax highlighter locally. Version checker now uses iframe instead of script. So no external JavaScript is executed anymore.
Thank you for promptly addressing this issue.