Tuesday, January 24, 2006


Today I took a closer look at XAMPP which seems to be a very interesting project. I even use it on a SuSE Linux 9.0 server, because I didn't want to go through the rather painful process of updating PHP to a current version (which required to resolve a lot of dependencies). There are some good things about it, but also some things that I don't like very much.

Generally I think that XAMPP is very much tailored for beginners to make it easy for them to set up a development environment. But I don't think that many advanced developers use it, because if you try to set it up for the needs of more advanced users, it's almost as much effort than installing each component manually. However, I believe that it would not be impossible to serve the needs of both groups - beginners and advances - by making a few more things customizable during the installation process.

MySQL is a product that shows perfectly that it's possible to keep things simple, but still to advance in a way that it doesn't affect users who like to keep it on a lower level. New (advanced) features are implemented, but the "old" features still work the way that people are used to. I think that this strategy would also work for XAMPP.

What I think of is, to implement options at the beginning of the installation process, where one could be "default" or "complete", where the installation process could remain basically as it is and a second option "custom", where a user could select, which components to install and select more advanced options, if desired.

Here are some things - basically about MySQL - that I didn't find so good in XAMPP's installation:
  • The InnoDB storage engine is by default disabled.

  • The structure of the mysql (privilege) database is still set to only handle old-passwords. It's required to run the mysql_fix_privileges script to update the structure.

  • With the Linux version of XAMPP, the user of the MySQL programs, the data directory etc. is set to root and also the server runs as root, which is a security risk.

  • IIRC (and I think that's even a MySQL issue instead of a XAMPP issue), there's by default an anonymous user. I don't think that anonymous users are necessary in most environments.

There are more MySQL settings that I used to change, but these are mainly personal adjustments.

But the most important thing that I would speak for is to make things more customizable, but to still offer a default install option to leave things unchanged for those users, who don't like to adjust settings.

If there are good reasons why those things are as they are - or if you have more ideas for XAMPP, please let me know. But maybe there are some points that can be discussed and eventually changed, so that XAMPP can become a product that attracts more advanced users, too.


Anonymous said...

If you take a look at the default PHP installs, you'll also see quite a few gaping security holes. They (along with entropy.ch's packages) have also gone with the "more = better" way of thinking when it comes to extensions and simply installing everything they can get their hands on.

They do market XAMPP as a 'development' tool rather than one for production use, but I only found that buried at the bottom of a FAQ when I found an admin where I worked had installed it for the production site.


I wouldn't even recommend it for newbies. They've made it so involved that if anything ever goes wrong, you need to know quite a bit (for a newbie, at least) in order to repair it.

Kai 'Oswald' Seidler said...

Two minor corrections:
MySQL is of course not running as root. And the purpose of XAMPP being a development plattform and not for production use is noticed on XAMPP projects front page and is not buried at a bottom of a FAQ. ;)

Markus Popp said...

Hmmmm, I recently installed the Linux version of XAMPP on a SuSE Linux 9.0 machine and all the files were defined with user root - and the my.cnf file didn't change the user in the [mysqld] section.

Kai 'Oswald' Seidler said...

Yes, you're right, but MySQL is compiled with --with-mysqld-user=nobody. So the user change is hard coded (until not set otherwise).