phpMyAdmin 5.2.3

[jwaisner]

PR Type

Enhancement

---

Description

• Add phpMyAdmin 5.2.3 release configuration files

• Create configuration file with MySQL and MariaDB server settings

• Update bundle release version to 2025.11.23

---

Diagram Walkthrough

flowchart LR
  A["phpMyAdmin 5.2.3"] --> B["config.inc.php"]
  A --> C["bearsampp.conf"]
  D["build.properties"] --> E["Update release version"]
  B --> F["MySQL & MariaDB config"]

Loading

File Walkthrough

Relevant files

Configuration changes

config.inc.php phpMyAdmin configuration with server settings                        bin/phpmyadmin5.2.3/config.inc.php Added complete phpMyAdmin configuration file with blowfish secret for cookie authentication Configured MySQL server connection on port 3306 with root user Configured MariaDB server connection on port 3307 with root user Included optional configuration directives for display settings, query history, and language preferences +142/-0  bearsampp.conf Bearsampp module configuration for phpMyAdmin                        bin/phpmyadmin5.2.3/bearsampp.conf Created Bearsampp module configuration file for phpMyAdmin 5.2.3 Specified version as 5.2.3 and config file reference Added bundle release version placeholder +4/-0      build.properties Update build release version                                                          build.properties Updated bundle release version from 2025.1.23 to 2025.11.23 +1/-1

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Hardcoded crypto secret Description: Hardcoded phpMyAdmin blowfish secret is committed to source control, enabling session/cookie tampering if reused in deployments; it must be randomized per environment and never stored in the repo. config.inc.php [17-17] Referred Code $cfg['blowfish_secret'] = 'MJkN7gbnKdyEjaR0sY}C=aX/VUCZYH3T'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
	Weak authentication Description: phpMyAdmin server config allows root login with no password (AllowNoPassword true and empty $mysqlRootPwd) which permits unauthenticated access if reachable. config.inc.php [24-45] Referred Code $mysqlRootUser = 'root'; $mysqlRootPwd = ''; $mariadbPort = 3307; $mariadbRootUser = 'root'; $mariadbRootPwd = ''; /** * MySQL server */ $i++; $cfg['Servers'][$i]['verbose'] = 'MySQL port ' . $mysqlPort; $cfg['Servers'][$i]['port'] = $mysqlPort; $cfg['Servers'][$i]['user'] = $mysqlRootUser; $cfg['Servers'][$i]['password'] = $mysqlRootPwd; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true; ... (clipped 1 lines)
	Weak authentication (MariaDB) Description: MariaDB server is configured for root with empty password and AllowNoPassword true, enabling trivial compromise if exposed. config.inc.php [53-60] Referred Code $cfg['Servers'][$i]['user'] = $mariadbRootUser; $cfg['Servers'][$i]['password'] = $mariadbRootPwd; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true;
⚪	Excessive privileges Description: Binding to 127.0.0.1 is safer, but hardcoding root user with cookie auth risks credential brute force and privilege escalation; use least-privileged accounts and restrict access to trusted admins only. config.inc.php [40-41] Referred Code $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp';
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Sensitive secret committed: The configuration commits a hard-coded blowfish_secret used for cookie authentication, which is sensitive and should not be stored in source control. Referred Code $cfg['blowfish_secret'] = 'MJkN7gbnKdyEjaR0sY}C=aX/VUCZYH3T'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Insecure defaults: The configuration enables AllowNoPassword = true for both servers and sets empty root passwords, weakening authentication and increasing risk of unauthorized access. Referred Code $cfg['Servers'][$i]['AllowNoPassword'] = true; /** * MariaDB server */ $i++; $cfg['Servers'][$i]['verbose'] = 'MariaDB port ' . $mariadbPort; $cfg['Servers'][$i]['port'] = $mariadbPort; $cfg['Servers'][$i]['user'] = $mariadbRootUser; $cfg['Servers'][$i]['password'] = $mariadbRootPwd; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true; Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The configuration adds servers and authentication type but does not configure or reference any audit logging of critical actions, which may be handled elsewhere by phpMyAdmin or the hosting stack. Referred Code $i++; $cfg['Servers'][$i]['verbose'] = 'MySQL port ' . $mysqlPort; $cfg['Servers'][$i]['port'] = $mysqlPort; $cfg['Servers'][$i]['user'] = $mysqlRootUser; $cfg['Servers'][$i]['password'] = $mysqlRootPwd; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true; /** * MariaDB server */ $i++; $cfg['Servers'][$i]['verbose'] = 'MariaDB port ' . $mariadbPort; $cfg['Servers'][$i]['port'] = $mariadbPort; $cfg['Servers'][$i]['user'] = $mariadbRootUser; ... (clipped 8 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: The added file is a configuration-only script without explicit error handling for connectivity or authentication edge cases, which may be inherently managed by phpMyAdmin. Referred Code $i++; $cfg['Servers'][$i]['verbose'] = 'MySQL port ' . $mysqlPort; $cfg['Servers'][$i]['port'] = $mysqlPort; $cfg['Servers'][$i]['user'] = $mysqlRootUser; $cfg['Servers'][$i]['password'] = $mysqlRootPwd; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['host'] = '127.0.0.1'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['AllowNoPassword'] = true; /** * MariaDB server */ $i++; $cfg['Servers'][$i]['verbose'] = 'MariaDB port ' . $mariadbPort; $cfg['Servers'][$i]['port'] = $mariadbPort; $cfg['Servers'][$i]['user'] = $mariadbRootUser; ... (clipped 8 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error detail control: The configuration does not specify user-facing error verbosity controls, leaving it unclear how phpMyAdmin will expose internal errors in this deployment. Referred Code /* * Directories for saving/loading files from server */ $cfg['UploadDir'] = ''; $cfg['SaveDir'] = ''; /** * Defines whether a user should be displayed a "show all (records)" * button in browse mode or not. * default = false */ //$cfg['ShowAll'] = true; /** * Number of rows displayed when browsing a result set. If the result * set contains more rows, "Previous" and "Next". * default = 30 */ //$cfg['MaxRows'] = 50; /** ... (clipped 55 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Avoid hardcoding the blowfish secret Avoid hardcoding the blowfish_secret in config.inc.php. Instead, dynamically generate a unique secret for each installation to prevent cookie forgery vulnerabilities. bin/phpmyadmin5.2.3/config.inc.php [17] -$cfg['blowfish_secret'] = 'MJkN7gbnKdyEjaR0sY}C=aX/VUCZYH3T'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ +// Read the secret from a file. If it does not exist, generate a new one. +$secret_file = __DIR__ . '/blowfish_secret.inc.php'; +if (file_exists($secret_file)) { + include $secret_file; +} else { + $secret = openssl_random_pseudo_bytes(32); + $cfg['blowfish_secret'] = bin2hex($secret); + file_put_contents( + $secret_file, + '<?php' . "\n" . '$cfg[\'blowfish_secret\'] = \'' . $cfg['blowfish_secret'] . '\';' + ); +} Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability by pointing out the hardcoded blowfish_secret. An attacker with access to the source code could forge authentication cookies, compromising all installations. The proposed solution to dynamically generate and store the secret is a robust security improvement.	High
	Disallow logging in without a password Set $cfg['Servers'][$i]['AllowNoPassword'] to false in config.inc.php to disallow logging in without a password, which is a significant security risk, especially for the root user. bin/phpmyadmin5.2.3/config.inc.php [60] -$cfg['Servers'][$i]['AllowNoPassword'] = true; +$cfg['Servers'][$i]['AllowNoPassword'] = false; Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a significant security risk in the default configuration. Allowing passwordless login for the root user, even in a development environment, is poor practice. Disabling this adds an important layer of security, enforcing a more secure default setup.	High
More

[github-actions]

🐘 phpMyAdmin Module Tests - Results

Test Date: 2025-11-24 19:38:19 UTC
Status: ✅ All tests passed

📊 Test Results by Version

Results: 1 of 1 versions tested

All tests passed successfully! ✨

---

📋 Test Phases

Each version is tested through the following phases:

• Phase 1: Installation Validation (Download, Extract, Verify Files & Directories)
• Phase 2: Basic Functionality (Test PHP Files, Config, Dependencies, Themes)
• Phase 3: Database Connectivity (phpMyAdmin web interface & MySQL tests)

Check artifacts for detailed logs.