Thanks for your input before on my security issues with my hosting company...

I'm not in the second stage of deciding if I should use a dedicated server... Which can cost up to like $200 a month....

Or if I should use my own server, get better DSL service to my house, and try to run everything myself.

My problem is still security. The new site I'm using will have SS#'s in it with medical documents as well. Does anyone have experience with dedicated servers... and how they work with PHP?

I'm fairly savvy and I'm sure I would be able to get the server setup using RedHat or something like that.

I guess I'm just looking for advice on what some other PHP programmers use for the sites, that are worried about security.

I'm open to any suggestions, thanks much.

As long as your host doesn't have an anti server policy (with possible port blocking) running a server over a DSL line is a viable option. I've run a server over a 128kbs upstream connection and at the moment have a 300kbs upstream connection which is fine for any medium traffic server with efficiently written pages. I also GZip all ASCII documents which dramatically reduces their size. For a mine of information on running your own webserver check out DSLwebserver.com (http://dslwebserver.com/).

Installing Linux should be the easy bit!

If you are going to store any personal data you will have to be more than just Savvy. What ever anyone may tell you to the contrary you will need some kind of encryption (ie an SSL certificate) running in order to ensure some basic data security between server and browser. If you set up your own server you could use open SSL for this. When you build your box installing the newest versions of Apache and PHP will be your first steps in ensuring data integrity.

Installing a utility such as PLESK (versions of which are now free) will make it considerably easier to manage and backup the domain space on your server. As will ensuring adequate partioning of the disk.

Partion your disk so that the database runs on a seperate area from the public facing website. This will help to limit damage in the case of an attack. Allow only queries to the db from your site domain/associated domains. Backup regularly.

Allowing access by IP or cookies is no defence (IP spoofing is very easy). At the same time log all IP's (gives you a sporting chance againgst the script kiddies). Allways hash (or better still encrypt) data such as Social Security numbers on the database.

Ensure that any data sent to the database by users is secure and clean. Monitor and review log records. Run anti-virus checks often and update any applications regularly.

Good luck!