Security of PHP application
Posted on 2013-01-17
i have a php application that allows users (potentially anyone) to visit one of my sites and within an iframe refer to a more selective area within my site. for example i have login.html as my original page with an iframe of index.php. within index.php i have an area with would allow three scenarios either for a user to login, register, or reset their password. reason for using an iframe was to get two unique pages onto one (two logins). once the user has registered it sends me an email and with the information they used to register and i can either confirm their status or deny. if they are confirmed they can login if not my MySQL will hold their data(username and pass) until a day where i confirm it or physically delete the mysql entry.
once logged on i have allowed the users to upload and download their own information additionally some of our tools and information. additionally, i have created an area for a profile and a payment system.
all of this is handled by sessions which timeout after 30mins and each pages checks to make sure the information about the session is there or it kicks you to the index.php page.
because i am dealing with uploading, data transmissions, and payments i have also installed a 128bit SSL.
currently the site is hosted on Godaddy but i am thinking of removing this function of the website and installing it onto its own physical server in my office. reason for this is now i have the physical data at my hands and i do not have to abide by other territories regulations of information sharing only my country's (canada).
at my office i have a typical system with a "cloud" firewall and AV Mcafee and then a internal firewall Sonicwall which also acts as a router and then individual VA on each device.
essentially what i am trying to figure out is a couple of things.
1. is there a free or paid for software that i can implement that will keep probing at the "portal" until it finds a weakness.
2. Is taking this "portal" portion off of godaddy and onto its own server a worthwhile idea and other than brute force attacks which would be an obvious weakness of my own server what would i have to consider
3. if i was to move the hosting onto my own server what would be a good platform in doing so
thanks a lot !!!