Menu

phpmyadmin

Developers
2014-06-22
2014-06-29
1 2 > >> (Page 1 of 2)
  • Brady Miller

    Brady Miller - 2014-06-22

    Hi,

    Any thoughts on removing embedded phpmyadmin from OpenEMR? From a security standpoint, the project has not had enough resources to keep this tool updated.

    -brady
    OpenEMR

     
  • Rod Roark

    Rod Roark - 2014-06-23

    I think removing it is best.

    Rod
    http://www.sunsetsystems.com/

     
  • Roberto

    Roberto - 2014-06-23

    phpadmin is simple to install from it's website and it is updated. I do not see a reason to keep it embedded in openemr

     
    • Pieter W

      Pieter W - 2014-06-23

      If it is simple, where can I find a tutorial WIKI on HOWTO install for OpenEMR? I want to see it with my own eyes it is so simple? I remember once, I tried to do an upgrade with terrible results, but that was many versions ago.

       
  • Kevin Yeh

    Kevin Yeh - 2014-06-23

    I suspect that fsgl and Pimm will miss having PhpMyAdmin as part of the pre-installed packaged on the demo servers.

    The primary benefit of it being part of the package is the ability to run arbitrary SQL when the only access is available through a browser.. (e.g. hosted environments...)

    The workaround would be to install PHPMyAdmin separately when you rebuild your demo servers to provide direct database access to test users should you deem it worthy of your effort.

    From a security standpoint, the project will be better off without it in our source tree, but there are some disadvantages.

     
    • iankarlwallace

      iankarlwallace - 2014-06-23

      I agree that from a security perspective the code set is better off with
      phpmyadmin removed but I do agree with Kevin. We should keep it installed
      on the demos to allow for running SQL/debugging. Benefit for installing
      the distro is that you get the security updates for free.

      Brady - Thanks for starting this discussion - it was on my list of things
      to do.

      I would suggest we remove from phpmyadmin in version 4.1.3.

      ian

      On Sun, Jun 22, 2014 at 7:03 PM, Kevin Yeh yehster@users.sf.net wrote:

      I suspect that fsgl and Pimm will miss having PhpMyAdmin as part of the
      pre-installed packaged on the demo servers.

      The primary benefit of it being part of the package is the ability to run
      arbitrary SQL when the only access is available through a browser.. (e.g.
      hosted environments...)

      The workaround would be to install PHPMyAdmin separately when you rebuild
      your demo servers to provide direct database access to test users should
      you deem it worthy of your effort.

      From a security standpoint, the project will be better off without it in
      our source tree, but there are some disadvantages.


      phpmyadmin
      https://sourceforge.net/p/openemr/discussion/202506/thread/5eb111fd/?limit=25#40f2


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/openemr/discussion/202506/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

      --
      Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732

       
  • Pieter W

    Pieter W - 2014-06-23

    You are correct in the statement that I, on a personal term speaking, yes I will miss phpMyAdmin terribly.

    What does it involve to get the version for personal use with the optional advise to install PhpMyAdmin afterwards and let it work flawless with OpenEMR. If there is a clear cut way to go and if there is a WIKI page How to add phpMyAdmin and let it work with OpenEMR, there is no reason to include. If it is almost impossible for non programmers to get phpMyAdmin to work with OpenEMR I vote for inclusion and get a message of "SECURITY is at stake" in place.

    Windows XP is insecure they say, but with some measures the insecurity is acceptable (no direct Internet connections etc..)

    Windows 7 is even better

    Windows 8 is so secure ......... till when?

    Linux and Ubuntu and derivates like Mint17, are still considered rather safe.

    Conclusion: If there is a possibility to learn the quick and easy way how to add phpMyAdmin, leave it out.

    But the option of activation of phpMyAdmin through Globals, to enable phpMyAdmin would even be better (now the default is enabled, and the default could be NOT-enabled). Would this option make phpMyAdmin more acceptable to include and safe? If the answer is YES....., we could make phpMyAdmin as the Default in but inactivated, keep phpmyAdmin not activated unless the user takes action, with some warning of the consequences.

     
  • Pieter W

    Pieter W - 2014-06-23

    The idea that I use phpMyadmin only for SQL is incorrect. I mostly use it for backup of CSV files for different tables and upload CSV files.

    Sometimes to correct wrong input of a USER.

     
  • Frankie

    Frankie - 2014-06-23

    Security should be top priority over ease of use when it comes to protected health information. I vote for removal.

     
  • fsgl

    fsgl - 2014-06-23

    Into the mix in the discussion about eliminating phpMyAdmin, should be added didactics. Many new users come to understand the form and functions of the database through interactions with phpMyAdmin on the various Demo's. Removing it would be the removal of a very good teaching tool.

    My set of Ophthalmology forms are ready available with a phpMyAdmin import. Unlike the Contributed Forms, they cannot be copied and pasted into interface/forms and registered. To-date the Wiki page has been viewed 3,900 times.

    I don't think that security is at the core of the issue, merely a coincidental one. There are other aspects of OpenEMR which are insecure, but doubtlessly there will be no talk of removal, let alone removal itself. If phpMyAdmin is insecure as a part of the package, how is it more secure when installed separately by the user?

    If Brady does not have the time to maintain it; of course, we understand. As he is apt to say, he is only a volunteer. Being project administrator is more than a little hobby like stamp collecting. (Thanks, Kevin for what the Brits call "fellow feelings".) We are DIY-ers; therefore, we will manage.

     
  • MD Support

    MD Support - 2014-06-23

    Bundling phpMyAdmin with OpenEMR is an overkill for a simple and native database administration requirement. If phpMyAdmin is replaced by a single text-area form that passes user input as a SQL query using standard OpenEMR function, it will let expert users or administrators debug and fix issues while their actions get logged.

    System admins with database management expertise don't need guidance on using phyMyAdmin or other mySQL admin tools to manage OpenEMR database.

     
  • Stephen Waite

    Stephen Waite - 2014-06-23

    most certainly we should strive for security and removing phpMyAdmin is important for the work that is being done by iankarlwallace, debian package

    maybe a new wiki on how to install phpmyadmin separately? here's digital ocean's install guide

     
    • Pieter W

      Pieter W - 2014-06-23

      This looks promising. I will look into it and see if I can manage, If I can,, most diversified USERS of OpenEMR will have no problem.

      While I look into I will make notes to have a WIKI in place when it is lost for the Distros of OpenEMR.

       
  • fsgl

    fsgl - 2014-06-23

    If one of the goals of this project is wide acceptance by the medical community, any tool that promotes that goal is worth preserving, if the costs are not too great to bear.

    PhpMyAdmin has little database management value for the typical developer. Kevin advised us long ago that there are better tools. The focus, however, should not be solely on developers.

    If we are considering tools which illustrate to the medical community the value of OpenEMR and which would ultimately lead to its greater acceptance by physicians, then we should not be in great haste to jettison phpMyAdmin. Concentrating on short term gains and losing sight of long term goals may prove to be myopic and unwise.

     

    Last edit: fsgl 2014-06-23
    • iankarlwallace

      iankarlwallace - 2014-06-23

      Thanks to everyone for giving some perspective to this question. I am torn over this issue personally as I think the project has included phpmyadmin in the code set for a long time and stripping it out might confuse some - a la "Where's myphpadmin it's always been there for me!"

      There is a middle ground of keeping what we have now and I will create the Debian package to strip it out. Will be a bit confusing if people mix and match the packages (Brady's deb package and then one from a mirror - we might want to put that the two Conflict and shouldn't be installed together).

      I brought up the question b/c Debian (or ubuntu or LM) all have phpmyadmin packaged and it appeared to be redundant. I realize that lots of people use Windows as well and it's convenient to have it all in one install.

      Sure having code in our source tree that's from another project that isn't regularly updated presents security risks b/c we don't get fixes/updates. In my mind that's a plus to removing but not the main reason - we are duplicating code and don't need to.

      I have already stripped phpmyadmin from the debian-med version.

      Ian

      Ian Wallace 303-681-5732

      On Jun 23, 2014, at 9:24 AM, "fsgl" fsgl@users.sf.net wrote:

      If one of the goals of this project is wide acceptance by the medical community, any tool that promotes that goal is worth preserving, if the costs are not too great to bear.

      PhpMyAdmin has little database management value for the typical developer. Kevin advised us long ago that there are better tools. The focus, however, should be solely on developers.

      If we are considering tools which illustrate to the medical community the value of OpenEMR and which would ultimately lead to its greater acceptance by physicians, then we should not be in great haste to jettison phpMyAdmin. Concentrating on short term gains and losing sight of long term goals may prove to be myopic.

      phpmyadmin

      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/openemr/discussion/202506/

      To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

       
  • fsgl

    fsgl - 2014-06-23

    Ian,

    Please clarify,

    1. If Brady builds an Ubuntu Demo with LAMP, phpMyAdmin is included in the LAMP package?

    2. Is this thread about OpenEMR package downloads or about the Demo's?

    If the answer to the first question is "yes" and the answer to the second is "downloads", that would help to settle a great deal of my concerns and some of your angst.

    If phpMyAdmin can continue to be a teaching tool in the Demo's, that would be great. Adding phpMyAdmin is a 4 step process which can be handled by most Linux neophytes.

     
  • fsgl

    fsgl - 2014-06-23

    Well, I just triggered the spambot alert again with the above post.

    Let's try again without the offending link.


    Ian,

    Please clarify,

    1. If Brady builds an Ubuntu Demo with LAMP, is phpMyAdmin part of the LAMP package?

    2. Is this thread about the OpenEMR package downloads or the Demo's?

    If the answers are "yes" and "downloads", my concerns and some of your angst will be mitigated.

    If the Demo's continue to have this teaching aid, it will be great. We, Linux neophytes, will not have a difficult time adding a missing phpMyAdmin because I just learned it's a 4 step process.

     
    • iankarlwallace

      iankarlwallace - 2014-06-24

      Fsgl -

      Ian Wallace 303-681-5732

      On Jun 23, 2014, at 4:31 PM, "fsgl" fsgl@users.sf.net wrote:

      Well, I just triggered the spambot alert again with the above post.

      Let's try again without the offending link.

      Ian,

      Please clarify,

      If Brady builds an Ubuntu Demo with LAMP, is phpMyAdmin part of the LAMP package?

      I guess there are really two separate things. Brady builds a package that can be installed/uninstalled via dpkg on the command line. That's the OpenEMR package.

      We can add phpmyadmin to the demo servers outside of the actual OpenEMR package that allow it to communicate with MySQL and access the OpenEMR database. In the end no decrease in functionality for the end user it's just that Brady no longer has to include the phpmyadmin source in the distro. The first time around well need to configure phpmyadmin correctly but after that things shouldn't change.

      The hardest part would probably be that the URL to access would change to just 'phpmyadmin' instead of 'openemr/phpmyadmin'.

      Is this thread about the OpenEMR package downloads or the Demo's?

      In the end it's really about neither downloads or demos. This new package would show up in Debian with commands like apt-get, synaptic, etc. Brady could distribute a separate package but the hope we be that e wouldn't have to. Reducing his work load and providing for a larger/easier distribution network.
      If the answers are "yes" and "downloads", my concerns and some of your angst will be mitigated.

      If the Demo's continue to have this teaching aid, it will be great. We, Linux neophytes, will not have a difficult time adding a missing phpMyAdmin because I just learned it's a 4 step process.

      I would always advocate that people install some tool to help with the admin of the DB (that is unless your are a command line wizard).

      Not a hard install or configuration but still an extra step.

      phpmyadmin

      Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/openemr/discussion/202506/

      To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

       
  • Pieter W

    Pieter W - 2014-06-24

    Dear friend and thinker fsgl,

    don't forget to make notes to include in the new WIKI pages of phpMyAdmin. Even four steps can be hard for some of us. But if it is so easy to install, why would it be different if phpmyadmin is a separate web page and put all particulars in the separate WIKI or website to change OpenEMR tables? Is this not an open request for intrusion, if we have to tell the active USERS how to use phpMyAdmin....

     
  • fsgl

    fsgl - 2014-06-24

    Ian,

    PhpMyAdmin is part of the package deal of XAMPP for Windows, that takes care of the majority of users. LAMP has it. The Demo's will have it. Only the future Ubuntu-Debian package will not have it.

    For most of this thread, I got the impression phpMyAdmin will be uncoupled from all copies of OpenEMR. Incorrect understanding on my part.

    The mountain turned out to be a molehill.

    Equilibrium has been restored to this little universe.


    Pimm,

    The first of my duplicate posts has been deemed not to be a spambot, so you can click the link and see that most beginners will be able to install it.

     
    • iankarlwallace

      iankarlwallace - 2014-06-24

      fsgl - I guess in the end this comes down to Brady - keeping a bunch
      of different versions available (one with phpmyadmin, one without) is
      kinda a pain. The tools is readily available to be
      installed/configured to access the OpenEMR mysql database at any time.
      I personally would lobby for the following:

      1) For the next several packages of OpenEMR (4.1.2 patch 8 and beyond)
      I would suggest that we announce that phpmyadmin will be removed - how
      we do that I am not sure ... modification of the phpmyadmin index page
      to alert people if will be removed (?) - announcement on the downloads
      page as well(?)

      2) For the debian-med version I will remove it from the source via a
      Files-Excluded header directive otherwise the package will be rejected
      out of hand for duplicated code that doesn't need to be in the
      package.

      I think I might have confused more than I clarified with my prior
      email. My intent WOULD be to remove phpmyadmin from the entire code
      base (Windows/Linux distro). I guess I was trying to impart that it
      is readily available from other resources and can be installed for
      usage on the demos/peoples local instances without much hassle.
      People are missing out on the updates from the phpmyadmin project by
      using our embedded version.

      I will start looking into how hard this is since I am talking in the
      theoretical at this point. Won't be able to do it tonight but will
      try to look at tomorrow.

      Again I apologize if I misled anyone.

      cheers
      ian

      On Mon, Jun 23, 2014 at 9:37 PM, fsgl fsgl@users.sf.net wrote:

      Ian,

      PhpMyAdmin is part of the package deal of XAMPP for Windows, that takes care
      of the majority of users. LAMP has it. The Demo's will have it. Only the
      future Ubuntu-Debian package will not have it.

      For most of this thread, I got the impression phpMyAdmin will be uncoupled
      from all copies of OpenEMR. Incorrect understanding on my part.

      The mountain turned out to be a molehill.

      Equilibrium has been restored to this little universe.


      Pimm,

      The first of my duplicate posts has been deemed not to be a spambot, so you
      can click the link and see that most beginners will be able to install it.


      phpmyadmin


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/openemr/discussion/202506/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

      --
      Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732

       
    • Pieter W

      Pieter W - 2014-06-24

      There are two parts of concern:

      1. phpMyadmin for the Tables (now available inmost versions of OpenEMR.
      2. getting the folders to show where what is and who did the work to make things as is. (not available in OpenEMR Farm versions, nor Demos) Only visible for view and changes and can be approached and changed in Local versions and GitHub.
       
  • Brady Miller

    Brady Miller - 2014-06-24

    Hi,

    After reading above posts, sounds like key things to sort out before considering removal of phpmyadmin are:
    1. See how easy it is to install phpmyadmin on linux by a DIY user.
    2. Ensure we are not sending the DIY user over a security cliff (ie. unknowingly install a very unsecure phpmyadmin that requires no credentials, which ends up being much worse from a security perspective than what is currently in OpenEMR).
    3. Get it working on the demo farm

    Regarding the debian package, should migrate following key points of discussion to the openemr deb/ubuntu package forum thread:
    1. Don't let philosophy get in the way :) (OpenEMR is simply a beast of a software package :) I would suggest not removing features or doing things that hinder innovation/progress in OpenEMR or cause future undue burden towards yourself to proceed or maintain). For example, phpmyadmin has been modified to work with OpenEMR credentials/ACL; I would rec not removing it from any package unless OpenEMR community agrees.
    2. What to do with the current deb package when the official debian-med one is in circulation(this is simple(ie. remove from existence), but need to iron out some details).

    -brady
    OpenEMR

     
    • Pieter W

      Pieter W - 2014-06-24

      Brady,

      you sound like a very involved person.... LOL ..... YOU ARE!

      A WIKI Page and some reassurances about security and HIPPAA are INTERNATIONAL good practice policies. No doubt about that. If phpMyAdmin is placed in a different folder outside OpenEMR and make a comparisson or compare phpMyAdmin with other similar software in a WIKI, it could be an advantage. I wish I had more time to investigate. I did a check on my Web-site and there the option to include or not use phpMyAdmin for Database corrections is available, it is also something optional and very easy to implement (C-panel is used and very encouraging for starters like me).

      So it could be "we see elephants and bears" (not beers like in soccer) but indeed caution should be in place not to harm the vast majority of Users with less willingness to spend more money.

      It is hard to get the funds for accreditation (?), so it will be hard to convince USERS to pay or to pay more than a sub-liminal virtual fee.

       

      Last edit: Pieter W 2014-06-24
  • fsgl

    fsgl - 2014-06-24

    O.K.,

    So it's really a mountain after all.

    Returning to the mindset of when I installed OpenEMR for the first time in 2009. It was a bear. Failed miserably to the point that I gave up trying for the next 3 years.

    Brady will remember how difficult it was before Sam Bowen gave us the first XAMPP-OpenEMR package for Windows. Without the package, I would never been able to install OpenEMR and certainly would not be posting in the Forums today.

    I would not be going out on a limb to say that Windows users would be less inclined to deploy OpenEMR. the more components we ask them to install. A quick sampling of the install questions comes from Linux users, not Windows users. This phenomenal success is due in large part to the package. Bear in mind, most physicians would not have the confidence to explore open source applications in the first place and reflexively would go for the paid stuff.

    Gentlemen,

    I would suggest that we should not have OpenEMR become the purview of IT types, however inadvertently. We value our developers, but we must not miss the forest for the trees. If we make the geeks happy, but physicians are scared away, is it not a Pyrrhic victory?

     
1 2 > >> (Page 1 of 2)

Log in to post a comment.