> -----Original Message-----
> From: Michael Shadle [mailto:mike...@gmail.com]
> Sent: Wednesday, June 23, 2010 12:17 AM
> To: Rene Veerman
> Cc: Tanel Tammik; php-general@lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7...@gmail.com>
> wrote:
> > unlikely. it's a apache delivered ip address.. very little chance of
> > insert vulnerabilities, imho.
> still, the overhead for a db escape is better than your site being trashed.
> also, you could look at converting the IP to an INT(10) (at least for
> IPv4) and save
> ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) ip in integer 
> format
> - 4 bytes - int(10)

If you're going to implement this, then it's better to implement the conversion 
in the backend DB (via SP or UDF).  So you can always use MySQL query browser 
or the command line to run queries or other methods depending on your access to 
the DB, especially if you need to find that malicious IP address quickly ;)


> I've done this on a variety of projects. Arjen even mentions it back in 2005:
> http://arjen-lentz.livejournal.com/44290.html
> It does make things a bit harder to read, and at one point I did get different
> results when calculating it in PHP vs. MySQL (I forget when and how, and
> haven't seen the issue again) but if you're looking for IP ranges it can come 
> in
> handy too - integer math is much cleaner than IP address math :)

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to