Install XAMPP For An Offline Development Environment With Apache And MySQL Running Locally On Windows

Last reviewed/updated: 28 Oct 2017 | Published: 08 Dec 2014 | Status: Active
Web browser support: Internet Explorer 10+, Edge 12+, Firefox 6+, Chrome 30+, Opera 17+

1. Introduction

Ideally, web sites are developed in an offline development environment before being pushed to the online production environment. However, many web developers, unable or unwilling to install a web server and SQL database server, skip the offline development step and push their untested code to the online production environment. This is unfortunate because setting up an offline development environment with a web server and SQL database server running locally on Windows is much simpler than one might think.

Apache Friends XAMPP (apachefriends.org) includes the Apache HTTP Server web server (including PHP interpreter) and the MySQL SQL database server. After XAMPP is installed, running Apache and MySQL is as simple as a couple of mouse clicks. In this example, XAMPP for Windows is installed on a local computer running Windows 7/8.1/10, In this example, local computer means either your computer, or any computer on a local network with your computer. The local computer onto which XAMPP is installed is known as the XAMPP host computer. Your computer and the XAMPP host computer (which may or may not be the same computer) constitute the offline development environment with Apache and MySQL running locally on Windows.

Actually, the XAMPP SQL database server is MariaDB, which is developed by the MariaDB Foundation, not MySQL, which is developed by Oracle. MariaDB is a drop in place replacement for MySQL. Therefore, for most practical purposes, the terms MariaDB and MySQL are interchangeable. In this example, MySQL is used throughout.

1.1. Security

XAMPP is not intended for installation on:

  • A computer that is directly connected to the Internet (i.e., a computer assigned a public IP address because it is not behind a gateway/router).
  • An Internet-facing server (i.e., a computer that provides a service over the Internet).
  • A computer that stores or has access to sensitive/valuable data.
  • In other words, XAMPP is not intended for use in public/Internet/online/production environments.

XAMPP is intended for installation on:

  • A computer that is connected to a local network (i.e., a computer assigned a private IP address because it is behind a gateway/router).
  • An Intranet-facing server (i.e., a computer that provides a service over an Intranet).
  • A computer that does not store and does not have access to sensitive/valuable data.
  • In other words, XAMPP is intended for use in private/Intranet/offline/development environments.

2. Install XAMPP

XAMPP supports Windows, Linux, And Mac OS X. The latest versions of XAMPP for Windows supports Windows 7/8.1/10.

The XAMPP version indicates the included PHP version. XAMPP for Windows 5.6.x includes PHP version 5.6.x. XAMPP for Windows 7.0.x includes PHP version 7.0.x. XAMPP for Windows 7.1.x includes PHP version 7.1.x. As most web hosts provide PHP 5.6.x support by default, in this example, XAMPP for Windows 5.6.x is installed. More specifically, in this example, XAMPP for Windows 5.6.24 is installed on Windows 7.

The computer onto which XAMPP is installed is known as the XAMPP host computer.

To install XAMPP:

  1. Download the latest version of XAMPP for Windows 5.6.x from Download XAMPP (apachefriends.org). In this example, XAMPP for Windows 5.6.24 was downloaded.
  2. Double click the XAMPP installer. In this example, xampp-win32-5.6.24-1-VC11-installer.exe was double clicked.
  3. On Windows 7/8.1, the User Account Control: Do you want to allow the following program from an unknown publisher to make changes to this computer? dialog appears. Click Yes.
    On Windows 10, the User Account Control: Do you want to allow this app from an unknown publisher to make changes to your device? dialog appears. Click Yes.
  4. If XAMPP detects an anti-virus program is installed, the Question: Continue with installation? dialog appears. Read the information on how an anti-virus program might interfere with XAMPP. Click Yes.
  5. If XAMPP detects that User Account Control (UAC) is enabled, the Warning: Important! Because an activated User Account Control (UAC) on your system some functions of XAMPP are possibly restricted. With UAC please avoid to install XAMPP to C:\Program Files (x86) (missing write permissions). Or deactivate UAC with msconfig after this setup. dialog appears. I have not had an issue with UAC if XAMPP is installed to the default location (C:\xampp) or to a location other than C:\Program Files (x86). Click OK.
  6. The Setup: Setup - XAMPP dialog appears. Click Next.
  7. The Setup: Select Components dialog appears. By default, all components are checked (i.e., selected) for installation. In this example:
    1. Under Server, Apache, which XAMPP considers a required component, is automatically checked and grayed out. If your development environment requires MySQL, check MySQL. Otherwise, uncheck MySQL. In this example, MySQL was checked.
    2. Under Program Languages, PHP, which XAMPP considers a required component, is automatically checked and grayed out.
    3. Under the second entry for Program Languages, if you are installing MySQL and want to use phpMyAdmin to manage MySQL, check phpMyAdmin. Otherwise, uncheck phpMyAdmin. In this example, phpMyAdmin was checked.
      phpMyAdmin is a web-based graphical user interface (web GUI) for managing MySQL. If phpMyAdmin is not installed, the only way to manage MySQL is by issuing SQL commands at the command prompt. In other words, although not technically required for managing MySQL, phpMyAdmin is installed as an option for managing MySQL.
    4. In this example, all other components were unchecked:
      XAMPP Installation: Setup - Select Components
    5. Click Next.
  8. The Setup: Installation folder dialog appears. By default, the installation folder is C:\xampp. This is fine and avoids the potential UAC issue mentioned above. Click Next.
  9. The Setup: Bitnami for XAMPP dialog appears. Uncheck Learn more about Bitnami for XAMPP. Click Next.
  10. The Setup: Ready to Install dialog appears. Click Next.
  11. The Setup: Welcome to XAMPP! dialog appears and XAMPP installation commences.
  12. If Windows Firewall is running, the Windows Security Alert: Windows Firewall has blocked some features of this program (or app) dialog appears. This is for Apache. Check Private networks, uncheck Public networks, and click Allow access.
    Software firewalls other than Windows Firewall will probably be triggered when Apache is actually run for the first time in Start A Module (below).
  13. The Setup: Completing the XAMPP Setup Wizard dialog appears. Uncheck Do you want to start the Control Panel now? Click Finish.
  14. XAMPP is installed. Run Windows/Microsoft Update and install any updates for the installed XAMPP packages. In this example, the Security Update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package (2538243) was listed and installed.

3. Run XAMPP

The computer onto which XAMPP is installed is known as the XAMPP host computer. XAMPP is run on, and from, the XAMPP host computer.

3.1. Start XAMPP: The XAMPP Control Panel And The XAMPP Notification Area Icon

Starting XAMPP displays the XAMPP Control Panel and the XAMPP notification area icon. The XAMPP Control Panel is the main XAMPP interface.

To start XAMPP:

  1. On Windows 7, click Start | All Programs | XAMPP | XAMPP Control Panel.
    On the Windows 8.1 Metro interface, click the Apps arrow | under XAMPP click XAMPP Control Panel.
    On Windows 10, click Start | if necessary, click All apps | in the apps list click XAMPP | XAMPP Control Panel.
  2. On first run, the Language dialog appears. Select the flag for the country that speaks your language. Click Save.
  3. The XAMPP Control Panel (top) and XAMPP notification area icon (bottom) appear: XAMPP Control Panel XAMPP Notification Area Icon

3.2. Start A Module

There are two ways to start a module:

  • In the XAMPP Control Panel under Actions, click the module's Start button. When the module is successfully started/running, the background color for the module's name turns green.
  • Right click the XAMPP notification area icon | click the module | Start. When the module is successfully started/running, the module's notification area icon status indicator turns green.

If your software firewall prompts that the Apache HTTP Server (httpd.exe) is attempting to listen for connections from other computers on ports 80 and 443, or that mysqld (mysqld.exe) is attempting to listen for connections from other computers on port 3306, or something similar, set the software firewall to the most restrictive setting that allows Apache and MySQL to function. For Windows Firewall, check Private networks, uncheck Public networks, and click Allow access.

If the XAMPP host computer is going to be used primarily for development, instead of starting the modules manually, you might want to start the modules as a service, which means they will automatically start when Windows starts. To start modules as a service, in the XAMPP Control Panel click the top right Config button. In the Autostart of modules fieldset, check the modules to start as a service. Click Save.

3.3. Stop A Module

There are two ways to stop a module:

  • In the XAMPP Control Panel under Actions, click the module's Stop button. When the module is successfully stopped/not running, the background color for the module's name turns transparent.
  • Right click the XAMPP notification area icon | click the module | Stop. When the module is successfully stopped/not running, the module's notification area icon status indicator turns red.

3.4. Close Verses Quit XAMPP And Manually Close Any Started Modules

Closing XAMPP:

  • Closes the XAMPP Control Panel.
  • Leaves the XAMPP notification area icon running.
  • Leaves the started modules running.

To Close XAMPP:

  • In the XAMPP Control Panel, click Close (top right red X).

Quitting XAMPP:

  • Closes the XAMPP Control Panel.
  • Closes the XAMPP notification area icon.
  • Leaves the started modules running.

There are two ways to quit XAMPP:

  • In the XAMPP Control Panel, click Quit.
  • Right click the XAMPP notification area icon | click Quit.

The XAMPP Control Panel can be shown/hidden from the XAMPP notification area icon.

To show/hide the XAMPP Control Panel from the XAMPP notification area icon:

  • Right click the XAMPP notification area icon | click Show/Hide.

Closing and/or quitting XAMPP does not stop any started modules. The only way to stop any started modules is to stop them manually.

To exit all XAMPP associated programs:

  1. Stop any started modules per Stop A Module (above).
  2. In the XAMPP Control Panel or notification area icon, click Quit.

4. Test The XAMPP Installation: The XAMPP Dashboard

To test the XAMPP installation:

  1. Start XAMPP and then start Apache.
  2. Point the web browser to either of the following:
    • The root of the web server:
      XAMPP redirects connections to the root of the web server to the XAMPP dashboard.
      • If your computer is the XAMPP host computer, the root of the web server is http://localhost/.
      • If a computer on a local network with your computer is the XAMPP host computer, the root of the web server is http://xampp_host_computer_ip_address_or_host_name/.
    • The XAMPP dashboard:
      • If your computer is the XAMPP host computer, the XAMPP dashboard is http://localhost/dashboard/.
      • If a computer on a local network with your computer is the XAMPP host computer, the XAMPP dashboard is http://xampp_host_computer_ip_address_or_host_name/dashboard/.
  3. Either way, if the installation of XAMPP was successful, the XAMPP dashboard appears. The XAMPP dashboard consists of web pages that provide educational information about XAMPP and, in the top navigation bar, a link to phpMyAdmin: XAMPP Dashboard

5. Common LAMP/WAMP MySQL And phpMyAdmin Vulnerabilities And The XAMPP Security Policy

5.1. Common LAMP/WAMP MySQL And phpMyAdmin Vulnerabilities

The installation of MySQL and phpMyAdmin by most LAMPs/WAMPs present two vulnerabilities that users should be aware of:

If MySQL is not installed, the two vulnerabilities are not present.
  1. phpMyAdmin all granted access vulnerability: The LAMP/WAMP host computer, and any computers on a local network with the LAMP/WAMP host computer, are granted access to phpMyAdmin. To access phpMyAdmin from the XAMPP host computer, point the web browser to http://localhost/phpmyadmin/ or click the XAMPP dashboard (above) top navigation bar phpMyAdmin link. To access phpMyAdmin from a computer on a local network with the XAMPP host computer, point the web browser to http://xampp_host_computer_ip_address_or_host_name/phpmyadmin/.
  2. MySQL root user account no password vulnerability: The LAMP/WAMP host computer, and any remote computers able to open the LAMP/WAMP host computer command prompt, can login to MySQL as the MySQL root user without having to supply a password. In addition, because MySQL user accounts are phpMyAdmin user accounts, any computers granted access to phpMyAdmin are automatically logged into phpMyAdmin as the MySQL root user without having to supply a password.

5.2. The XAMPP Security Policy

The XAMPP security policy restricts access to phpMyAdmin. As a result of the XAMPP security policy, only the XAMPP host computer, not any computers on a local network with the XAMPP host computer, is granted access to phpMyAdmin. If a computer on a local network with the XAMPP host computer tries to access phpMyAdmin, the following is displayed:

Computer On Network With XAMPP Computer Access To phpMyAdmin Forbidden
  • In the web page above, the Access to the requested directory is only available from the local network. text is incorrect and should be changed to something like, Access to the requested directory is only available to the XAMPP host computer.
  • The code for the XAMPP security policy is located in the C:\xampp\apache\conf\extra\httpd-xampp.conf text file.
  • Concerning the MySQL root user account no password vulnerability, if there is a malicious user of the XAMPP host computer who might exploit the MySQL root user account no password vulnerability, or if there is a malicious user of a remote computer able to open the XAMPP host computer command prompt who might exploit the MySQL root user account no password vulnerability, then password protect the MySQL root user account per reset the MySQL/MariaDB root password (localhost). If there are no such malicious users, then the MySQL root user account no password vulnerability is not a security risk.

6. Where To Place Your Web Site Files: The Root Of The Web Server

The easiest location to place your web site files is on the root of the web server. In this example, the root of the web server is C:\xampp\htdocs\.

To place your web site files on the root of the web server:

  1. Rename the C:\xampp\htdocs\index.php file (which redirects to the XAMPP dashboard) to C:\xampp\htdocs\index_xampp.php.
  2. Copy your web site files to the root of the web server. In this example, the root of the web server is C:\xampp\htdocs\.
  3. Start XAMPP and then start Apache.
  4. If your web site home page is index.html, index.htm, index.php, default.html, default.htm, or default.php, point the web browser to the root of the web server. If your computer is the XAMPP host computer, the root of the web server is http://localhost/. If a computer on a local network with your computer is the XAMPP host computer, the root of the web server is http://xampp_host_computer_ip_address_or_host_name/. If your web site home page has some other filename, for example, filename.xyz, then point the web browser to web site home page explicitly. If your computer is the XAMPP host computer, point the web browser to http://localhost/filename.xyz. If a computer on a local network with your computer is the XAMPP host computer, point the web browser to http://xampp_host_computer_ip_address_or_host_name/filename.xyz.
  5. The web site home page appears.
The XAMPP dashboard is still available, just not via the redirect from the root of the web server. To access the XAMPP dashboard, point the web browser to the XAMPP dashboard explicitly. If your computer is the XAMPP host computer, the XAMPP dashboard is http://localhost/dashboard/. If a computer on a local network with your computer is the XAMPP host computer, the XAMPP dashboard is http://xampp_host_computer_ip_address_or_host_name/dashboard/. Alternatively, point your web browser to the index_xampp.php file on the root of the web server.

7. Resources And Additional Information