Page 1 of 1

Security using $_SERVER["REMOTE_ADDR"]

Posted: Mon Oct 27, 2003 4:57 am
by Jean-Yves
Hi,

I want to secure my site a little more by checking the the form that is submitting POST variables is my own, and not a copy that has been hacked by someone else with the Javascript validation removed.

Having read through previous posts on this topic, it seems to me that the easiest way to do this is to compare sending and reciving IP addresses and check that they match, rather than using HTTP_REFERER as this can be spoofed.

Something like:

Code: Select all

if($_SERVER["REMOTE_ADDR"] != $SERVER["LOCAL_ADDR"]) 
  die("Unauthorised access!");
The LOCAL_ADDR is, as expected, returning 127.0.0.1 on my local dev box (windows, IIS, PHP 4.3.1), but appears to return null on my ISP's server (RedHat, apache, PHP 4.1.2).

Is this a security issue - ie has my ISP deliberately disabled the functionality, or something else?

Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?

Thanks for any help/clarification.

Posted: Mon Oct 27, 2003 5:29 am
by twigletmac
Previously, I was doing server-side validation, then moved to Javascript on the client. Should I really keep both, from a security point of view?
IMHO, keep both, you can never rely on client-side validation alone and you should always have server-side validation as a fallback.

Mac

Posted: Mon Oct 27, 2003 5:40 am
by Jean-Yves
Hi twigletmac, thanks for the reply.

I had a feeling that that would be the answer ;)
Oh well, at least I've kept the old server side code so it's just a matter of pasting it back in and retesting. Serves me right for taking it out in the first place :)

Any thoughts on the LOCAL_ADDR issue? Do you have a preferred way of checking for the provenance of a request? The data that is being sent consists of two text fields and a text area, in case that is of relevance.