[solved] if $_SERVER can be exploited
Moderator: General Moderators
[solved] if $_SERVER can be exploited
How can you grab an IP without using $_SERVER['REMOTE_ADDR']?
Last edited by dallasx on Thu Nov 10, 2005 3:20 pm, edited 2 times in total.
This is a good example of getting afraid of something when there is no need to. You have probably read the security post and now are worried.
Simply use $_Server as before but simply don't trust it with your life.
Meaning. It is extremely hard to temper with $_Server exept the parts where it relies on the URI. I am not sure about the Windows servers but in Apache if someone can temper with all of $_SERVER you have bigger problems to worry about as someone gained root access to your machine.
e.g. IP address cannot be tempered with serverside but this info is given to the server by the user so it has to be validated. Document_root e.g. is set by the server and I would love someone to show me a way to temper with it.
So just be cautious but not afraid
Simply use $_Server as before but simply don't trust it with your life.
Meaning. It is extremely hard to temper with $_Server exept the parts where it relies on the URI. I am not sure about the Windows servers but in Apache if someone can temper with all of $_SERVER you have bigger problems to worry about as someone gained root access to your machine.
e.g. IP address cannot be tempered with serverside but this info is given to the server by the user so it has to be validated. Document_root e.g. is set by the server and I would love someone to show me a way to temper with it.
So just be cautious but not afraid
If you explained what you meant by just "regex" then it might have been an option, where as just "regex" doesn't answer anything.redmonkey wrote:While my reply does not answer the question directly, it is an option.
But, OK, point taken, I'll leave options out in future and stick only direct answers.