> -----Original Message----- > From: Michael Shadle [mailto:mike503@xxxxxxxxx] > Sent: Wednesday, June 23, 2010 12:17 AM > To: Rene Veerman > Cc: Tanel Tammik; php-general@xxxxxxxxxxxxx > Subject: Re: $_SERVER['REMOTE_ADDR'] and sql injection > > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7705@xxxxxxxxx> > wrote: > > unlikely. it's a apache delivered ip address.. very little chance of > > insert vulnerabilities, imho. > > still, the overhead for a db escape is better than your site being trashed. > > also, you could look at converting the IP to an INT(10) (at least for > IPv4) and save > > ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) ip in integer format > - 4 bytes - int(10) > If you're going to implement this, then it's better to implement the conversion in the backend DB (via SP or UDF). So you can always use MySQL query browser or the command line to run queries or other methods depending on your access to the DB, especially if you need to find that malicious IP address quickly ;) Regards, Tommy > I've done this on a variety of projects. Arjen even mentions it back in 2005: > > http://arjen-lentz.livejournal.com/44290.html > > It does make things a bit harder to read, and at one point I did get different > results when calculating it in PHP vs. MySQL (I forget when and how, and > haven't seen the issue again) but if you're looking for IP ranges it can come in > handy too - integer math is much cleaner than IP address math :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
