On 23 June 2010 08:53, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
With any and all input to sql queries: escape the input. Then you
don't have to ask the question.
Regards
Peter
--
hype
WWW: http://plphp.dk /
On Wed, Jun 23, 2010 at 2:53 AM, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
Br
Tanel
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
As long as you
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik keevit...@gmail.com wrote:
Hi,
is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries?
Br
Tanel
--
PHP General Mailing
I was wondering, if there is a chance to manipulate the data this variable
holds?
Br
Tanel
Rene Veerman rene7...@gmail.com wrote in message
news:aanlktikwldeucxkru-4ni4pet5lq_5cc_vstnwrtx...@mail.gmail.com...
unlikely. it's a apache delivered ip address.. very little chance of
insert
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
still, the overhead for a db escape is better than your site being trashed.
also, you could look at converting the IP to
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 12:17 AM
To: Rene Veerman
Cc: Tanel Tammik; php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com wrote:
If you're going to implement this, then it's better to implement the
conversion in the backend DB (via SP or UDF). So you can always use MySQL
query browser or the command line to run queries or other methods depending
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:07 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com
wrote
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham tommy...@gmail.com wrote:
Then I presume that your firewall, servers, and application is test proven
'bulletproof'? :-P
a) no such thing
b) pretty damn solid, yes
and the reason? because i don't overcomplicate things.
a simple stack is a happy
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:20 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham tommy...@gmail.com
wrote
-Original Message-
From: Michael Shadle [mailto:mike...@gmail.com]
Sent: Wednesday, June 23, 2010 1:07 AM
To: Tommy Pham
Cc: php-general@lists.php.net
Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham tommy...@gmail.com
wrote
Michael Shadle mike...@gmail.com wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip address.. very little chance of
insert vulnerabilities, imho.
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote:
Michael Shadle mike...@gmail.com wrote in message
news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com...
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman rene7...@gmail.com wrote:
unlikely. it's a apache delivered ip
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs() call
to ensure it's a positive number, as some IP addresses equate to
negative with ip2long().
NO NO NO NO NO
?php
$x =
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs() call
to ensure it's a positive number, as some IP addresses equate to
negative with
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
That's what I'd use. You may also have to wrap it inside an abs()
On Wed, 2010-06-23 at 10:58 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote:
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
From: Ashley Sheridan
Out of interest, how does PHP calculate the IP number, as it was my
understanding of IP numbers that they can't be negative.
For example, my IP address is 89.243.156.135
The four parts as binary:
01011001
0011
10011100
1111
From there, I thought that the
On Wed, Jun 23, 2010 at 11:09 AM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Out of interest, how does PHP calculate the IP number, as it was my
understanding of IP numbers that they can't be negative.
For example, my IP address is 89.243.156.135
The four parts as binary:
01011001
Please keep the discussion on the list.
On 7 Oct 2008, at 06:11, David Rocks wrote:
Your work around worked fine for me but I just had some time to
revisit this and wanted to see how hard it would be to rewrite this
test. But I ran into a question. The test that was failing compared
the
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for REMOTE_ADDR. Is
On Sep 17, 2008, at 957PM, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for REMOTE_ADDR.
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using APACHE 2.
PHPINFO always returns ::1 for
On 18 Sep 2008, at 16:37, David Rocks wrote:
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr
and sometimes it is 127.0.0.1 . I am on OS X 10.5.5 and using
Stut wrote:
On 18 Sep 2008, at 16:37, David Rocks wrote:
Stut wrote:
On 18 Sep 2008, at 05:57, David Rocks wrote:
I am running a test PHP web app on my local machine that uses
REMOTE_ADDR and most of the time ::1 is returned as the IP addr and
sometimes it is 127.0.0.1 . I am on OS X
Marcus Bointon wrote:
I'm running PHP 5.1.4 on OS X. When I look at $_SERVER['REMOTE_ADDR'],
it seems to contain an ipv6 address rather than an ipv4 one (at present
it's giving me 'fe80::1' instead of the usual dotted quad), and that
confuses the hell out of things like MySQL's INET_ATON()
On Thu, May 18, 2006 2:22 pm, Marcus Bointon wrote:
I'm running PHP 5.1.4 on OS X. When I look at $_SERVER
['REMOTE_ADDR'], it seems to contain an ipv6 address rather than an
ipv4 one (at present it's giving me 'fe80::1' instead of the usual
dotted quad), and that confuses the hell out of
On 18 May 2006, at 21:11, Stut wrote:
The value in that variable is coming from the web server not PHP. I
suggest you change the web server configuration so it's listening
on specific v4 IPs only rather than all IPs. See the docs for your
web server for details on how to do that.
Yup,
-Original Message-
From: thomas [mailto:[EMAIL PROTECTED]
$_SERVER[REMOTE_ADDR]
If the user have a proxy the real IP is:
$_SERVER[HTTP_X_FORWARDED_FOR]
Maybe. If it's set and is set correctly. Even then:
How are 127.0.0.1 or 192.168.1.1 going to help you, supposing that those
It isn't always possible to get the visitor's real IP address, if the
user's traffic is proxied the REMOTE_ADDR will be the proxy IP address,
some proxies set the forwarded for header but for security and privacy
some do not.
If you are not being directed through a proxy REMOTE_ADDR does show
First of all, you should be using quotes around string array keys.
$_SERVER['REMOTE_ADDR'] is more correct. Anyway, my guess is there's a
proxy here somewhere.
John wrote:
Makes me think.. what exactly the $_SERVER[REMOTE_ADDR] is doing
Cause it does not really show the actual IP
$_SERVER[REMOTE_ADDR]
If the user have a proxy the real IP is:
$_SERVER[HTTP_X_FORWARDED_FOR]
have fun
thomas
- Original Message -
From: John
To: [EMAIL PROTECTED]
Sent: Thursday, April 03, 2003 1:26 AM
Subject: [PHP] $_SERVER[REMOTE_ADDR]
Makes me think.. what
32 matches
Mail list logo