On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote: > *Distrust everything coming from your users, > even their user agents* > > *If you make your scripts taking this into account, > they'll be pretty secure* > > > Actually, I believe that the one thing you can trust in, is their IP > addresses. Isn't it? No! IP is useless for identification or authentication of the general web-surfer: Users behind firwalls will all appear to be from one (1) IP AOL users change IPs faster than drummers change underwear But even in the more restricted case of an IP you "know" will never change (e.g.: intranet application), that IP can be spoofed, by a knowlegable person. And/or traffic to/from that IP can be targetted and examined. The user's IP address is a useless bit of fluff you should ignore at all times if you REALLY care about security. This is not to say it's not TOTALLY useless... You might, for example, allow developers from 192.168.*.* to surf to your http://php.net/phpinfo page on a development box. After all, if somebody has already broken through enough walls to surf to it, and mask their IP as 192.168.*.*, you probably already have MUCH bigger problems than them seeing phpinfo() output... It would be BETTER to require a password of some kind, but it's not totally wack to just use $_SERVER['REMOTE_ADDR'] for this. You can use IP for statistical analysis of visits/visitors and be reasonably certain that MOST of the IP addresses are "accurate" and "semi-static" for a crude visitor/traffic monitoring, but knowing that a certain percentage of error is inherent to that data -- more like an opinion poll than anything. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
