Protecting a Win2008 with PHP and MySQL from crackers attack

jrthurler
jrthurler used Ask the Experts™
on
I will be in a college hacker party and my team will have to protect a web site developed in PHP and mySQL. The challenge is to protect the site against SQL Injection and all other sort of attacks.
We´ll use Windows 2008, PHP 5 and mySQL. I don´t know if it´s better to use IIS or Apache because performance will not be a problem, just the security. I think use Apache in Windows could be a natural protection because the other teams will think that we´ll use IIS and try to attack some IIS vulnerability.
How is the best way (In SQL Injection we have a lot of tips to prevent) to protect this server ? We must use the college computers that will be clean on start of the challenge and we need to install and set up all the prograns (except PHP and mySQL) by ourself.

Regards,

JrT
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
The biggest and most common vulnerabilities for any site is sql injection attack.To protect site you need a robust authentication routine - which finally depends on database to gather
data and authenticate.This is where most of the Hackers penetrate and try to find out holes.
So that they have controlling authentication to your site and play with it.
Naturally your emphasis would be on to prevent sql vulnerabilities by using parameters instead of values , using mysql_real_escape_string etc.
A more elaborate arrangement is using a function like this
function check($str) {
$str = htmlentities(mysql_real_escape_string(trim($str)), ENT_QUOTES, 'UTF-8');
$str = nl2br($str);
$str = addslashes($str);
$str = str_replace("'", "'", $str);
$str = str_replace('\\', "\", $str);
$str = str_replace("|", "I", $str);
$str = str_replace("||", "I", $str);
$str = str_replace("/\\\$/", "$", $str);
return $str;
}
and for every get and post use
$values = check($_GET['values'])
or $values = check($_POST['values'])

and yes php,mysql and apache is  a very good combination for security.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial