It's not using the webserver's basic auth, it's using their own implementation (https://github.com/phpmyadmin/phpmyadmin/blob/297c1e174b93a9..., via PHP's: https://www.php.net/manual/en/features.http-auth.php).
It's not using the webserver's basic auth, it's using their own implementation (https://github.com/phpmyadmin/phpmyadmin/blob/297c1e174b93a9..., via PHP's: https://www.php.net/manual/en/features.http-auth.php).
You can easily put phpMyAdmin behind basic auth as an additional security layer, completely bypassing any PHP execution and letting the web server completely handle the authentication. It's exactly what I have done multiple times in the past. Arguably phpMyAdmin's direct integration is a less secure way of doing it, but do we even know if it's the basic auth itself that was bypassed, or was it just the case of a weak password?
Sure, and I can put the VX gas vials in a safe in my basement, but I'd rather not have them anywhere near me at all.