Re: [PHP] Should I check imput for bad chars in this case?

Thu, 26 Apr 2012 05:55:17 -0700 


"mirrys.net" <mirrys....@gmail.com> hat am 26. April 2012 um 14:15
geschrieben:

> Hi all,
>
> this is more question than real problem (I hope :)). I include this
> script into my pages to log IPs of visitors (they are saved info txt
> file and send to e-mail later):

You definitly should. There were some bugs (even in bigger applications
like Coppermine f.e.) that have been introduced by clients sending
manipulated ip oder hostname Strings.

For the IP address simply check if it is a valid IP4 or IP6 tupel. There
are checks for that.


>
> function getIPadress()
> {
>     if (isset($_SERVER["HTTP_CLIENT_IP"]))
>     {
>         return $_SERVER["HTTP_CLIENT_IP"];
>     }
>     elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
>     {
>         return $_SERVER["HTTP_X_FORWARDED_FOR"];
>     }
>     elseif (isset($_SERVER["HTTP_X_FORWARDED"]))
>     {
>         return $_SERVER["HTTP_X_FORWARDED"];
>     }
>     elseif (isset($_SERVER["HTTP_FORWARDED_FOR"]))
>     {
>         return $_SERVER["HTTP_FORWARDED_FOR"];
>     }
>     elseif (isset($_SERVER["HTTP_FORWARDED"]))
>     {
>         return $_SERVER["HTTP_FORWARDED"];
>     }
>     else
>     {
>         return $_SERVER["REMOTE_ADDR"];
>     }
> }
>
> // save log to txt
> $fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !");
> $IPAdress = getIPadress();
> fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" .
> gethostbyaddr($IPAdress) . ")\n");
> fclose($fh);
>
> ...can this be some possible security risk (XSS or so..), becose I
> does not check chars in IP adress and host name mainly. It is probably
> crazy, but on the other side I think it isn't imposibble to use some
> bad strings in host name.
>
> Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());"
> or something like? Or is it nonsense?
>
> Thx and excuse me, if this question is too stupid :(. Br, Mir R.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Marco Behnke
Dipl. Informatiker (FH), SAE Audio Engineer Diploma
Zend Certified Engineer PHP 5.3

Tel.: 0174 / 9722336
e-Mail: ma...@behnke.biz

Softwaretechnik Behnke
Heinrich-Heine-Str. 7D
21218 Seevetal

http://www.behnke.biz

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to