Page 1 of 1
[solved] if $_SERVER can be exploited
Posted: Tue Nov 01, 2005 1:42 pm
by dallasx
How can you grab an IP without using $_SERVER['REMOTE_ADDR']?
Posted: Tue Nov 01, 2005 1:45 pm
by feyd
getenv() possibly... however as stated many times before, and likely in the future, IP information is an extremely unreliable source of information..
Posted: Tue Nov 01, 2005 1:46 pm
by redmonkey
regex
Posted: Tue Nov 01, 2005 4:34 pm
by Jenk
regex cannot get the ip, please read the question again.
Posted: Tue Nov 01, 2005 4:46 pm
by redmonkey
Use regex to pattern match and extract the IP address string if it's available within the variable.
Posted: Tue Nov 01, 2005 4:52 pm
by Jenk
dallasx is asking for an alternative source for the IP, not a method of extracting it from $_SERVER.
Posted: Tue Nov 01, 2005 5:07 pm
by redmonkey
While my reply does not answer the question directly, it is an option.
But, OK, point taken, I'll leave options out in future and stick only direct answers.
Posted: Tue Nov 01, 2005 6:39 pm
by d_d
I don't see any reason why $_SERVER['REMOTE_ADDR'] would be a worse place to get the ip than anywhere else.
If your worried just treat it as any other piece of user supplied data.
Posted: Wed Nov 02, 2005 12:51 am
by AGISB
This is a good example of getting afraid of something when there is no need to. You have probably read the security post and now are worried.
Simply use $_Server as before but simply don't trust it with your life.
Meaning. It is extremely hard to temper with $_Server exept the parts where it relies on the URI. I am not sure about the Windows servers but in Apache if someone can temper with all of $_SERVER you have bigger problems to worry about as someone gained root access to your machine.
e.g. IP address cannot be tempered with serverside but this info is given to the server by the user so it has to be validated. Document_root e.g. is set by the server and I would love someone to show me a way to temper with it.
So just be cautious but not afraid
Posted: Wed Nov 02, 2005 1:47 am
by Jenk
redmonkey wrote:While my reply does not answer the question directly, it is an option.
But, OK, point taken, I'll leave options out in future and stick only direct answers.
If you explained what you meant by just "regex" then it might have been an option, where as just "regex" doesn't answer anything.