Page 1 of 1

IP Deny Function

Posted: Fri Oct 07, 2005 9:49 pm
by blacksnday
Ok! after posting craploads of these forums for past 2..? months I am finally learning stuff!

I am writing an admin area script for my news project script
and wanted to create something that could block any access
other then myself to the admin area.

Of course... besides this function there are other checks, but this should
stop first and hopefully always first.

So I post here to get a possible critique on my new function if possible :)

This grabs the IP set in database, then denies all unless the IP matches
what was set. And yes, for alot of people this function wouldnt work,
but for me and other lucky people with an ISP that gives an IP
that always stays the same... well it works good!

Code: Select all

function vf_news_admin_checker()
{
	$err = 'there has been an error';
    $sql = mysql_query("SELECT value FROM table WHERE foo='boo'") or die ($err); 
    while($vfn_admin_check = mysql_fetch_array($sql)){
          $vfn_admin_ip = $vfn_admin_check['value'];

 if ( !empty($vfn_admin_ip) ) //IF NO IP IS SET THEN ALL BELOW IS BYPASSED
  {
        $host = $_SERVER['REMOTE_ADDR']; //EQUALS YOUR IP AS SHOWN FROM BROWSER
   if ( $host == $vfn_admin_ip )   //IF YOUR IP MATCHES THE IP SET THEN ADMIN ACCESS IS GIVEN
   {
	      echo "some welcome message?";
   }else{      //IF THE IP DOESNT MATCH THEN DENY THE ATTEMPT AND INSERT USER INFO TO DATABASE
	      @mysql_query ("INSERT INTO table (row) VALUES ('$host')");
          echo "Some deny message to the user here ";
	      die();
   }
  }
 }
}
My question with this is how easy can an IP be spoofed?
But even if it can be easy, it would be alot harder for anyone to
know the IP address of the site owner.. unless they were friends or something.

Posted: Fri Oct 07, 2005 9:53 pm
by Ambush Commander
What if you wanted to have administrative access from some other terminal because you where on vacation or something?

Posted: Fri Oct 07, 2005 9:54 pm
by blacksnday
Ambush Commander wrote:What if you wanted to have administrative access from some other terminal because you where on vacation or something?
then i could always log into cpanel and quickly remove the ip from the database and be given access
besides... i got no clue what a vacation is :P

Posted: Fri Oct 07, 2005 10:05 pm
by Ambush Commander
Just... don't. Base the login just on admin credentials (perhaps reauthenticate and regenerate session id).

Posted: Fri Oct 07, 2005 11:46 pm
by blacksnday
i wasnt really asking if the theory of it was accepted.
I know I have heard many times over the argument of
IP Based-Anything.

I made this post to get advice on HOW I made it.

Protected areas of websites is for a different forum post
as everyone has their preferred method of doing so.

The function above will be included in my News Script once I release it
and as it says above....its purely optional.
On top of this, as I also said earlier... this is not the only form
of checking that I currently use.
I still plan on making at least 3 other forms of securing my VF News Admin
center to compliment the others I have done so far.

Posted: Sat Oct 08, 2005 3:00 am
by Roja
blacksnday wrote:i wasnt really asking if the theory of it was accepted.
Actually, you asked for critiques and feedback on it - and the theory behind what you are doing is just about the most low-level feedback you can get.
blacksnday wrote:I know I have heard many times over the argument of IP Based-Anything.
I made this post to get advice on HOW I made it.
Well, then you shouldn't at all be surprised to see many experienced members responding to let you know that IP-based authentication is worse than bad - its unreliable.

IP's can be spoofed, they can change rapidly, the list goes on.

So, my feedback mirrors what many others have said: There is no "good" way to do it, because you can't polish a turd.

IP-based checking is unreliable by design.