I am making a classifieds site and have the xzero script. It is in php. Besides hacks messing with the server, the blog, and the forum, what is the best way to tighten up/protect the actual php classifieds script? And one other question... can a script be overwhelmed by lots of hits/users and what is the best way to try to avoid that? Thanks
Protect the script from what? Hackers? You can start by turning error reporting off to the user's browser. Test for SQL injection, Cross Site Scripting and Cross Site Request Forgery, Session Fixation. If you can, rename the admin section to something unusual. What I did with my classified ad script (in my signature below) was to move all the php files out of the htdocs directory and use a framework architecture. You can build a simple dispatcher also. This prevents an individual php files from being called by a user's browser. Once your site is running, check it with Nessus. They have thousands of scripts to check your site. Overwhelmed by hits? I guess it depends on how well the script is written and the server it is running on. For the most part, you want your webserver to cache your images, css and js files so the user's browser gets a 304 Not Modified response. Check into eTags and Cache-Control. If looks like xzero was designed some time ago because it still runs on PHP 4.3 and MySQL 3.23. I would see if it would run on PHP 5.2 and MySQL 5.1. Setup MySQL for query caching if you are using the MyISAM engine. If you have lots of server memory, make the caches large. Also, use a PHP opcode cache like APC. Setup your firewall to only allow expected traffic like port 80, 443, 22, 25, etc.
HorseGalleria - That was a very thorough answer as far as I can tell. Thanks for all of that information. I will take it and try to see what I can do and probably hire a programmer to sift through my site to also help in this process By the way... nice site for horse people... and I don't mean centaurs