Using XAMPP web server

Gareth Saunders
Monday 5 September 2011

XAMPP control panel

As we all (should) know testing out software on live environments isn’t particularly sensible. For the last five years in the office, and longer at home, I’ve been running XAMPP from Apache Friends as a test server on my PC.

XAMPP includes Apache httpd web server plus MySQL, PHP and Perl in an easy to install package (available for Windows, Mac, Linux and Solaris).

I don’t know about you but I’ve spent hours trying to get Apache, MySQL and PHP to speak to one another on a number of PCs. Sometimes without any success, other times after a lot of reading and config file editing. That was when I discovered XAMPP. No more delving into config files to try to coax life into your *AMPP server. Out of the box XAMPP just works.

The latest version for Windows, XAMPP 1.7.4 includes the following:

  • Apache httpd 2.2.17
  • MySQL 5.5.8
  • PHP 5.3.5
  • phpMyAdmin 3.3.9
  • FileZilla FTP Server 0.9.37
  • Tomcat 7.0.3 (with mod_proxy_ajp as connector)

Security

This simplicity, however, comes at a cost: security. As they repeatedly stress on their website

“XAMPP is not meant for production use but only for developers in a development environment. XAMPP is configured is to be as open as possible and to allow the web developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.”

The missing secure elements in XAMPP are:

  • The MySQL administrator (root) has no password.
  • The MySQL daemon is accessible via network.
  • phpMyAdmin is accessible via network.
  • The XAMPP demo page is accessible via network.
  • The default users of Mercury and FileZilla are known.

Security holes which can, of course, all be patched. XAMPP comes with a security status page which allows you to see how secure it currently is.

Setting a root password on MySQL and protecting the XAMPP directory is as simple as clicking a link and filling in a couple of forms.

XAMPP security report showing secure status of the installation

Conclusion

I’ve found XAMPP to be really useful, particularly for testing PHP code, developing WordPress themes and learning new Web apps.

If you don’t fancy XAMPP then there is also WampServer. Or you can get your hands dirty and delve into the config files… but remember: in the config files no-one can hear you scream.

Related topics

apache development MySQL Perl PHP server XAMPP

Cookie preferences