April 22, 2006

PostgreSQL | Installing phpPgAdmin

phpPgAdmin Screenshot
phpPgAdmin in action
phpPgAdmin is PostgreSQL's answer to the ever-popular phpMyAdmin. It's a PHP-based web-frontend for administering PostgreSQL databases - a serverside equivalent of pgAdmin III if you like.

Installation is very simple. The basic requirements are a PHP-enabled webserver, typically Apache, with PHP 4.1 or later, and access to a PostgreSQL server. In the following description I'm assuming a UNIXoid environment such as Linux or OS/X.

First, obtain the source code from the phpPgAdmin download page. RPM, Debian and Gentoo packages are available, but unless you particularly need one of these, an installation from the source package is just as easy. It's just a matter of downloading it in your preferred format - packages are available as bz2 (ca. 500KB), gz (ca. 700KB) and zip (ca. 800KB) formats - and unpacking the files in a directory somewhere accessible to your webserver.

If your PostgreSQL server is running on the same server as the webserver, phpPgAdmin's default configuration will work "out-of-the-box"; if not, you'll need to edit the configuration file located at conf/config.inc.php. It should be self-explanatory. There's also a "backup" copy of the installation file "conf/config.inc.php-dist".

One problem which occurs quite often is the error message "Login disallowed for security reasons", which occurs when trying to login as a user with an empty password, a common situation on (presumably well-protected) development machines. To enable this kind of login, set the option $conf['owned_only'] in conf/config.inc.php to true.

If you're installing phpPgAdmin on a publicly accessible web server, it's a very good idea to protect the phpPgAdmin directory with some kind of password protection, such as Apache's AuthType Basic. This will not only prevent the login page being indexed by search engines (and thus providing an interesting attack vector), but also provides an additional layer of security in the event that phpPgAdmin authentication vulnerablities are discovered. (Note that phpPgAdmin does include a robots.txt file in its root directory: this can only be effective if phpPgAdmin is installed into the webserver's root directory; and in any case robots.txt only has an advisory function and may not be obeyed by all search engines.

Posted at 6:23 PM

uh, do you really mean the "owned_only" parameter? The "extra_login_security" one did it for me...
Posted by: name | 2009-08-23 12:17
'extra_login_security' =

If extra login security is true, then logins via phpPgAdmin with no password or certain usernames (pgsql, postgres, root, administrator)
will be denied.
Posted by: Larp | 2009-11-25 12:18
As Larp, I had to set extra_login_security to false to login as root
Posted by: seb | 2010-02-08 09:33
setting extra_login_security=false worked for me too. There are some interesting comments on that in the config file
Posted by: Nidhi | 2011-02-06 18:00