Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
Br
Tanel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On 23 June 2010 08:53, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
With any and all input to sql queries: escape the input. Then you
don't have to ask the question.
Regards
Peter
--
hype
WWW: http://plphp.dk /
On Wed, Jun 23, 2010 at 2:53 AM, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
Br
Tanel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
As long as you
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
Br
Tanel
--
PHP General Mailing
I was wondering, if there is a chance to manipulate the data this variable
holds?
Br
Tanel
Rene Veerman rene7...@gmail.com wrote in message
news:aanlktikwldeucxkru-4ni4pet5lq_5cc_vstnwrtx...@mail.gmail.com...
unlikely. it's a apache delivered ip address.. very little chance of
insert
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
still, the overhead for a db escape is better than your site being trashed.
also, you could look at converting the IP to
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 12:17 AM
To: Rene Veerman
Cc: Tanel Tammik; php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com wrote:
If you're going to implement this, then it's better to implement the
conversion in the backend DB (via SP or UDF). So you can always use MySQL
query browser or the command line to run queries or other methods depending
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:07 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com
wrote
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham tommy...@gmail.com wrote:
Then I presume that your firewall, servers, and application is test proven
'bulletproof'? :-P
a) no such thing
b) pretty damn solid, yes
and the reason? because i don't overcomplicate things.
a simple stack is a happy
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:20 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham tommy...@gmail.com
wrote
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:07 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com
wrote
Michael Shadle mike...@gmail.com wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote:
Michael Shadle mike...@gmail.com wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs() call
to ensure it's a positive number, as some IP addresses equate to
negative with ip2long().
NO NO NO NO NO
?php
$x =
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs() call
to ensure it's a positive number, as some IP addresses equate to
negative with
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs()
On Wed, 2010-06-23 at 10:58 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
From: Ashley Sheridan
Out of interest, how does PHP calculate the IP number, as it was my
understanding of IP numbers that they can't be negative.
For example, my IP address is 89.243.156.135
The four parts as binary:
01011001
0011
10011100
1111
From there, I thought that the
On Wed, Jun 23, 2010 at 11:09 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Out of interest, how does PHP calculate the IP number, as it was my
understanding of IP numbers that they can't be negative.
For example, my IP address is 89.243.156.135
The four parts as binary:
01011001
20 matches
Mail list logo
