Webserver costs?

[shadowayex]

I'm working on getting a web server. Aside for the price of the server, are there any other costs? I know about WAMPP (or something of the sort) that will install everything I need for. I know there may be costs or whatnot with my ISP, but those are getting hammered out. But do I have to pay to have a domain name or anything like that? Also, security-wise, I was planning on installing AVG Free 8.0 and ZoneAlarm (free firewall) onto the server. Is there anything else I need to do? The server is basically for just one site for right now. A website I'm going to develop for a local club. But the website is going to be open in all people interested in the topic and will feature a messaging system, user profiles, file upload (pictures and videos mainly) and stuff of that sort. Security is my number one concern. I'm going to be pouring a lot of time and work into the project and I want to make sure no one is going to ruin it.

[jhecht]

Well first thing i would recommend would be getting a computer with Linux on it. Most linux distributions nowadays come with the "server" option, which basically means that it doesn't install a UI and you would just have to use the command prompt to do anything. You can still install the UI as an optional component (in case you don't feel like having to type a LOT to update/install anything). I recommend linux mainly for the fact that windows boggs itself down after time, and you end up getting RAM read/write errors (ran a server on windows for about 2 years. It shutsdown randomly now due to an error in reading a specific set of memory datas.. yeah i could just replace it, but im too lazy. Be careful, however, some linux ISO's do self-done back ups which can take up a lot of space on your hard drive. I recommend the newest stable version of PHP, any new linux distro should come with it, along with MYSQL and Apache. IF not, there are PLENTY of tutorials on how to set up a LAMP server for yourself. Just remember, opening that computer to the internet is risky, as someone could somehow, possible, if they were REALLY good, get access to the rest of the network.

[justsomeguy]

There's not really a single security switch that you can flip to make a server secure. If you're going to be administering the server yourself, then you should get a book or two about server security and read up on it, there's a lot to take into account. Decide which OS and server software you're going to be using and get a book dedicated to that specific environment. If you don't think a book is necessary for something like this, keep in mind that people go to school and make careers out of just maintaining servers, there's a lot to know. Once the server itself is secure, you'll need to be aware of security practices in PHP or whatever language you're going to be working in, it wouldn't be a bad idea to get a book there either that will teach you what you need to know about things like SQL injection attacks, password dictionary attacks, email form attacks, etc. Again, there's a lot to know there as well. You can probably find a lot of that information online, but a book would cover more things in one place.

[boen_robot]

You pretty much have all payed things you can get.Things you can't get for free are (as you said youself) your server computer itself and your internet connection. All else could be free, legally or otherwise.If it's just for one site, then I think Windows XP or Windows Server 2003 might be sufficient for you. Feel free to use Windows XP x64 or Windows Server 2003 x64 if you feel the site will receive too much traffic that a single PC with less that 4GB can't handle, but if you go that far, you're stuck with IIS as your web server, since Apache can't run on win64 environments, but just win32 ones. Well, ok, it runs on x64 environments too (I'm now running it on Vista Ultimate x64), but it doesn't take advantage of the extra resources, so it doesn't make a difference. If security is of a big concern, stay away from XAMPP, WAMPP, and all other similar packages. They are designed to be easy to install and access. This is by definition not secure, and spending time trying to make it secure is just not worth it. It's better to learn how to install all the components manually, so that you learn "what goes where" in the chain, and make security adjustments where they count.(a typycal example a beginner user of XAMPP could make - expect an .htaccess file to protect a folder on his FTP server. If you don't know already why this expectation is stupid, install and configure all the components separately, and you'll know.)If you want a first level domain, you'll have to pay for it. A domain like "w3schools.com" and "w3c.org" can't be received for free. What you could get for free is a subdomain. One service I know for that is DynDNS, but be aware that unless you pay, you have to confirm activity by email every month. Hmm... now that I think of it, in theory you could have a script that checks your email at regular intervals, and sends a request for the link in the appropriate email. A tricky thing to do, but that's the price of free.As far as antivirus and firewall software goes, I find that Windows Firewall is sufficient in most cases, but since ZoneAlarm is free, I guess it can't hurt. I'm personally suspicious of free antivirus products. In the case of AVG, that's doubled, as they also have a payed version. Imagine a cry from a free user saying "I think I've found a virus"... my worst nightmare is being that user and for AVG to answer "Please upgrade to our payed version. It fixes this.". I find NOD32 to be the best balance between effectiveness and resource hunger. Norton Antivirus (and everyone else from the family like Norton 360) stand on the effectiveness' good side, but are resource hogs. Prepare to get at least 2GB RAM on the server if you want your server to be efficient with it.As already reccomended, you must also become aware of the security issues that PHP may lead to. That is not to say PHP is not secure, no - that is to say you must learn how to use it in a secure fashion, since "with great power comes great responsibility".

[aszxcv]

what are some of php issue regarding security?

[boen_robot]

what are some of php issue regarding security?

File uploads - you could make a PHP file to allow anyone to upload unlimited amount of arbitary sized files to arbitary locations on your server. Doing so is not really a good idea obviously, but if you don't verify the file size, type, etc. of a file, that may be what you end up doing.SQL injections - when accepting user input as part of a DB query, you could end up allowing users to delete database entries or extracting information they're not supposed to see, including any private information the DB might store like password, emails, credit card numbers, etc.Path seleciton - you may be allowing people access to arbitary files inside a certain location. But if you don't do proper checks, you may end up allowing people access to arbitary files ouside of that location.The list goes on and on, and it all depens on what you're doing. The number one rule of thumb when in comes to PHP security is to simply verify all user input before using it. This includes all $_GET, $_POST, and even $_COOKIE variables, as well as $_SERVER variables that are dependant on the current request.

[aszxcv]

thanksi just learning php so these i have to looking out forbeside php.net is there anywhere else i can read up on these attacks and how to prevent them