First of all, you should be using quotes around string array keys.
$_SERVER['REMOTE_ADDR'] is more correct. Anyway, my guess is there's a
proxy here somewhere.
John wrote:
Makes me think.. what exactly the $_SERVER[REMOTE_ADDR] is doing
Cause it does not really show the actual IP
$_SERVER["REMOTE_ADDR"]
If the user have a proxy the real IP is:
$_SERVER["HTTP_X_FORWARDED_FOR"]
have fun
thomas
- Original Message -
From: John
To: [EMAIL PROTECTED]
Sent: Thursday, April 03, 2003 1:26 AM
Subject: [PHP] $_SERVER[REMOTE_ADDR]
Makes me think.. what
> -Original Message-
> From: thomas [mailto:[EMAIL PROTECTED]
>
> $_SERVER["REMOTE_ADDR"]
>
> If the user have a proxy the real IP is:
> $_SERVER["HTTP_X_FORWARDED_FOR"]
Maybe. If it's set and is set correctly. Even then:
How are 127.0.0.1 or 192.168.1.1 going to help you, supposing that
It isn't always possible to get the visitor's real IP address, if the
user's traffic is proxied the REMOTE_ADDR will be the proxy IP address,
some proxies set the forwarded for header but for security and privacy
some do not.
If you are not being directed through a proxy REMOTE_ADDR does show t
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for REMOTE_ADDR. Is
On Sep 17, 2008, at 957PM, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for REMOTE_ADDR. I
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for REMOTE
On 18 Sep 2008, at 16:37, David Rocks wrote:
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr
and sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using
Stut wrote:
On 18 Sep 2008, at 16:37, David Rocks wrote:
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5
Please keep the discussion on the list.
On 7 Oct 2008, at 06:11, David Rocks wrote:
Your work around worked fine for me but I just had some time to
revisit this and wanted to see how hard it would be to rewrite this
test. But I ran into a question. The test that was failing compared
the cl
On 23 June 2010 08:53, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
With any and all input to sql queries: escape the input. Then you
don't have to ask the question.
Regards
Peter
--
WWW: http://plphp.dk / http://plind.dk
LinkedIn
There's a vulnerability in using anything from the user in SQL queries. Escape
it :)
On 23/06/2010, at 6:53 PM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http://www.php.net
On Wed, Jun 23, 2010 at 2:53 AM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
As long as you treat it w
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik wrote:
> Hi,
>
> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http:
I was wondering, if there is a chance to manipulate the data this variable
holds?
Br
Tanel
"Rene Veerman" wrote in message
news:aanlktikwldeucxkru-4ni4pet5lq_5cc_vstnwrtx...@mail.gmail.com...
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.
still, the overhead for a db escape is better than your site being trashed.
also, you could look at converting the IP to an INT(10) (at lea
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 12:17 AM
> To: Rene Veerman
> Cc: Tanel Tammik; php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On W
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham wrote:
> If you're going to implement this, then it's better to implement the
> conversion in the backend DB (via SP or UDF). So you can always use MySQL
> query browser or the command line to run queries or other methods depending
> on your access
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 20
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham wrote:
> Then I presume that your firewall, servers, and application is test proven
> 'bulletproof'? :-P
a) no such thing
b) pretty damn solid, yes
and the reason? because i don't overcomplicate things.
"a simple stack is a happy stack"
:)
--
PHP
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:20 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 20
> -Original Message-
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 20
"Michael Shadle" wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
>> unlikely. it's a apache delivered ip address.. very little chance of
>> insert vulnerabilities, imho.
>
> still, the overhead for a db
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote:
> "Michael Shadle" wrote in message
> news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
> > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote:
> >> unlikely. it's a apache delivered ip address.. very little chance of
>
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
wrote:
> That's what I'd use. You may also have to wrap it inside an abs() call
> to ensure it's a positive number, as some IP addresses equate to
> negative with ip2long().
NO NO NO NO NO
Andrew
--
PHP General Mailing List (http://www.php
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
> On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> wrote:
> > That's what I'd use. You may also have to wrap it inside an abs() call
> > to ensure it's a positive number, as some IP addresses equate to
> > negative with ip2long().
>
> NO
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
wrote:
>
> On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
>
> On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> wrote:
> > That's what I'd use. You may also have to wrap it inside an abs() call
> > to ensure it's a positive number, as s
On Wed, 2010-06-23 at 10:58 -0400, Andrew Ballard wrote:
> On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
> wrote:
> >
> > On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
> >
> > On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
> > wrote:
> > > That's what I'd use. You may also have
From: Ashley Sheridan
> Out of interest, how does PHP calculate the IP number, as it was my
> understanding of IP numbers that they can't be negative.
>
> For example, my IP address is 89.243.156.135
> The four parts as binary:
> 01011001
> 0011
> 10011100
> 1111
>
> >From there, I thoug
On Wed, Jun 23, 2010 at 11:09 AM, Ashley Sheridan
wrote:
> Out of interest, how does PHP calculate the IP number, as it was my
> understanding of IP numbers that they can't be negative.
>
> For example, my IP address is 89.243.156.135
> The four parts as binary:
> 01011001
> 0011
> 10011100
>
Marcus Bointon wrote:
I'm running PHP 5.1.4 on OS X. When I look at $_SERVER['REMOTE_ADDR'],
it seems to contain an ipv6 address rather than an ipv4 one (at present
it's giving me 'fe80::1' instead of the usual dotted quad), and that
confuses the hell out of things like MySQL's INET_ATON() func
On Thu, May 18, 2006 2:22 pm, Marcus Bointon wrote:
> I'm running PHP 5.1.4 on OS X. When I look at $_SERVER
> ['REMOTE_ADDR'], it seems to contain an ipv6 address rather than an
> ipv4 one (at present it's giving me 'fe80::1' instead of the usual
> dotted quad), and that confuses the hell out of t
On 18 May 2006, at 21:11, Stut wrote:
The value in that variable is coming from the web server not PHP. I
suggest you change the web server configuration so it's listening
on specific v4 IPs only rather than all IPs. See the docs for your
web server for details on how to do that.
Yup, tha
33 matches
Mail list logo
