Security using $_SERVER["REMOTE_ADDR"]
Posted: Mon Oct 27, 2003 4:57 am
Hi,
I want to secure my site a little more by checking the the form that is submitting POST variables is my own, and not a copy that has been hacked by someone else with the Javascript validation removed.
Having read through previous posts on this topic, it seems to me that the easiest way to do this is to compare sending and reciving IP addresses and check that they match, rather than using HTTP_REFERER as this can be spoofed.
Something like:
The LOCAL_ADDR is, as expected, returning 127.0.0.1 on my local dev box (windows, IIS, PHP 4.3.1), but appears to return null on my ISP's server (RedHat, apache, PHP 4.1.2).
Is this a security issue - ie has my ISP deliberately disabled the functionality, or something else?
Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?
Thanks for any help/clarification.
I want to secure my site a little more by checking the the form that is submitting POST variables is my own, and not a copy that has been hacked by someone else with the Javascript validation removed.
Having read through previous posts on this topic, it seems to me that the easiest way to do this is to compare sending and reciving IP addresses and check that they match, rather than using HTTP_REFERER as this can be spoofed.
Something like:
Code: Select all
if($_SERVER["REMOTE_ADDR"] != $SERVER["LOCAL_ADDR"])
die("Unauthorised access!");Is this a security issue - ie has my ISP deliberately disabled the functionality, or something else?
Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?
Thanks for any help/clarification.