As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured, is to be open as possible and allowing the developer anything he/she wants.
For development environments this is great but in a production environment it could be fatal.
Here a list of missing security in XAMPP:
- The MySQL administrator (root) has no password.
- The MySQL daemon is accessible via network.
- phpMyAdmin is accessible via network.
- Examples are accessible via network.
To fix most of the security weaknesses simply call the following URI:
MySQL starts with standard values for the username and the password. The preset username is "root", the password is "" (= no password). To access MySQL via PHP with the preset values, you'll have to use the following syntax:
mysql_connect("localhost", "root", "");
If you want to set a password for MySQL access, please use of MySQL Admin.
To set the passwort "secret" for the user "root", type the following:
xamppmysqlbinmysqladmin.exe -u root -psecret
After changing the password you'll have to reconfigure phpMyAdmin to use the new password, otherwise it won't be able to access the databases. To do that, open the file config.inc.php in xamppphpmyadmin and edit the following lines:
$cfg['Servers'][$i]['user'] = 'root'; // MySQL User
$cfg['Servers'][$i]['auth_type'] = 'cookie'; // HTTP authentification
So first the 'root' password is queried by the MySQL server, before you can access phpMyAdmin.
CPAN and PEAR are preinstalled with only the basic packages. If you need additional packages,
you can use the XAMPP Shell (xampp_shell.bat) and install them with the command line tools:
- cpanp i Foo
- pear install Foo
If you don't have a VC6 compiler, you can use "ppm" instead of "cpanp", to install binary packages.