Security using $_SERVER["REMOTE_ADDR"]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

Security using $_SERVER["REMOTE_ADDR"]

Post by Jean-Yves »

Hi,

I want to secure my site a little more by checking the the form that is submitting POST variables is my own, and not a copy that has been hacked by someone else with the Javascript validation removed.

Having read through previous posts on this topic, it seems to me that the easiest way to do this is to compare sending and reciving IP addresses and check that they match, rather than using HTTP_REFERER as this can be spoofed.

Something like:

Code: Select all

if($_SERVER["REMOTE_ADDR"] != $SERVER["LOCAL_ADDR"]) 
  die("Unauthorised access!");
The LOCAL_ADDR is, as expected, returning 127.0.0.1 on my local dev box (windows, IIS, PHP 4.3.1), but appears to return null on my ISP's server (RedHat, apache, PHP 4.1.2).

Is this a security issue - ie has my ISP deliberately disabled the functionality, or something else?

Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?

Thanks for any help/clarification.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?
IMHO, keep both, you can never rely on client-side validation alone and you should always have server-side validation as a fallback.

Mac
User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

Post by Jean-Yves »

Hi twigletmac, thanks for the reply.

I had a feeling that that would be the answer ;)
Oh well, at least I've kept the old server side code so it's just a matter of pasting it back in and retesting. Serves me right for taking it out in the first place :)

Any thoughts on the LOCAL_ADDR issue? Do you have a preferred way of checking for the provenance of a request? The data that is being sent consists of two text fields and a text area, in case that is of relevance.
Post Reply