Elysian Shadows

So, I was here a while ago. I had been programming in C++ and even learning some OpenGL, but I'm not good with math so I stopped that.

Now I'm trying to learn some more Web Development, and I want to learn PHP.
The issue is that I don't have a server to do server side scripting with. Apparently I can set one up, but if I do couldn't somebody get access to it and start using my computer as a server? Won't I have to use some sort of security to make sure nobody else uses it?

That's a really interesting question that I hope someone answers. Here is my answer: Pretend you have a server! You can write up a server-simulator that acts like a server, but really isn't, and do your pcp on that.

You don't need to write a server 'simulator,' things like that are already out there. Just take a look at XAMPP.
And keep in mind that there are more possibilities to write server-side programs than just PHP. Professional websites with a lot of traffic probably use a kind of server-side application that has been compiled previously, instead of interpreting PHP on each request.
Edit: if you set up you PC as a server with xampp, any router will prevent people from outside your network from accessing it, in default configuration.

This might really be siding on off topic, but I want to ask, could a router be bypassed in some way? As in, even if he is using a router, is there some way when he uses XAMPP that security could still be a risk?

Most (if not all) modems/routers come with a built-in firewall, and the rules are usually deny every connection from the outside to the inside and allow all connections from the inside to the outside. You have to check it to be sure, but I'm pretty sure every sane device does that.

Where I work, we use XAMPP (Windows) and LAMPP (Linux) all the time in early development.
I do it from home as well, while working on personal projects.

I have never ever been affected by outsiders.

If you are dumb and port-forward a port (so your can access your localhost from elsewhere) && give away your IP address, then you might have a problem.

I've used XAMPP before as well, which works fine for local web development. However, I personally prefer: USB Webserver
It's completely portable (no installer), and runs out of a single directory. You can throw it on a flash drive or in your drop box and do your testing / development from anywhere.

Rebornxeno wrote:This might really be siding on off topic, but I want to ask, could a router be bypassed in some way? As in, even if he is using a router, is there some way when he uses XAMPP that security could still be a risk?

A router does exactly what the name implies: it routes packets to their intended destination. Conceptually, a router has no inherent security other than making sure packets get sent to the right host. However, most hardware that we refer to as "routers" have many other functions built-in, including a firewall. Many modern modems also have some routing and firewall functionality as well (even the ones with only one ethernet port!)

bbguimaraes wrote:Most (if not all) modems/routers come with a built-in firewall, and the rules are usually deny every connection from the outside to the inside and allow all connections from the inside to the outside. You have to check it to be sure, but I'm pretty sure every sane device does that.

I would agree. It's usually safe to bet your modem/router does this by default, but it never hurts to check the configuration yourself to make sure.

superLED wrote:If you are dumb and port-forward a port (so your can access your localhost from elsewhere) && give away your IP address, then you might have a problem.

If your host is not internet accessible then, by definition, it cannot be accessed by a malicious user via the internet. While there are plenty of convoluted exceptions to this general statement, it is highly unlikely anyone is going to target your machine specifically unless you are known to be storing very sensitive data.

Even if you were to accidentally make your web server internet accessible (unlikely, as it's usually fairly difficult to do on purpose), the hacker would still be confined the directories and applications in the web root. Short of finding a code execution vulnerability in your web application, they can't do much. Web hackers are usually more interested in convincing your database to spit out information its not supposed to.

If you were extremely paranoid, or wanted to play around with vulnerable software on purpose, you could always sandbox the web server in a virtual machine. This is most definitely overkill for simple local development use.

I'm happy to answer any other web dev questions you might have, as it's one of my favorite topics.

PS - Fun with PHP:
top20.php

Rebornxeno wrote:You can write up a server-simulator that acts like a server, but really isn't, and do your pcp on that.

Also.. I highly discourage doing pcp. That shit will fuck you up. PHP is much healthier for your brain and your career.

You can set the server to only listen to 127.0.0.1 (localhost), therefore alleviating all of your security concerns.

MarauderIIC wrote:You can set the server to only listen to 127.0.0.1 (localhost), therefore alleviating all of your security concerns.

Ahh yeah, I knew there was something like that but I forgot about loopback. Haven't set up a local server in quite a while.

Yup, because

http://beej.us/guide/bgnet/output/html/multipage/syscalls.html#bind wrote:int bind(int sockfd, struct sockaddr *my_addr, int addrlen);
<snip> my_addr is a pointer to a struct sockaddr that contains information about your address, namely, port and IP address. <snip>

(Emphasis mine) Thus it's possible to listen only on desired IP addresses, and this is implemented in all (most) server software since a machine can have additional network cards in addition to its loopback :)

...but that's more than you wanted to know.

MarauderIIC wrote:...but that's more than you wanted to know.

No such thing.. unless we're talking about mathematic proofs.

Thanks guys.

I'm still confused. I was watching a tutorial and apparently you have to set it up and then open it up in a browser to
set a password. Does that mean that before I set the password it is open to the public? I'm confused.
I don't understand servers. I'm still learning this stuff.

p.s. Why is the text in the posting box so small?

So I've set it up just this way; http://www.webassist.com/support/docume ... indows.php
Does that mean it won't allow any access to my server from outside?

Now I just get an Access Forbidden whenever I try to test a webpage.