[solved] if $_SERVER can be exploited

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
dallasx
Forum Contributor
Posts: 106
Joined: Thu Oct 20, 2005 4:55 pm
Location: California

[solved] if $_SERVER can be exploited

Post by dallasx »

How can you grab an IP without using $_SERVER['REMOTE_ADDR']?
Last edited by dallasx on Thu Nov 10, 2005 3:20 pm, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

getenv() possibly... however as stated many times before, and likely in the future, IP information is an extremely unreliable source of information..
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

regex
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

regex cannot get the ip, please read the question again.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Use regex to pattern match and extract the IP address string if it's available within the variable.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

dallasx is asking for an alternative source for the IP, not a method of extracting it from $_SERVER.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

While my reply does not answer the question directly, it is an option.

But, OK, point taken, I'll leave options out in future and stick only direct answers.
d_d
Forum Commoner
Posts: 33
Joined: Wed Jul 07, 2004 4:56 pm
Location: UK

Post by d_d »

I don't see any reason why $_SERVER['REMOTE_ADDR'] would be a worse place to get the ip than anywhere else.
If your worried just treat it as any other piece of user supplied data.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

This is a good example of getting afraid of something when there is no need to. You have probably read the security post and now are worried.

Simply use $_Server as before but simply don't trust it with your life.

Meaning. It is extremely hard to temper with $_Server exept the parts where it relies on the URI. I am not sure about the Windows servers but in Apache if someone can temper with all of $_SERVER you have bigger problems to worry about as someone gained root access to your machine.

e.g. IP address cannot be tempered with serverside but this info is given to the server by the user so it has to be validated. Document_root e.g. is set by the server and I would love someone to show me a way to temper with it.

So just be cautious but not afraid
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

redmonkey wrote:While my reply does not answer the question directly, it is an option.

But, OK, point taken, I'll leave options out in future and stick only direct answers.
If you explained what you meant by just "regex" then it might have been an option, where as just "regex" doesn't answer anything.
Post Reply