"mirrys.net" <mirrys.net@xxxxxxxxx> hat am 26. April 2012 um 14:15 geschrieben: > Hi all, > > this is more question than real problem (I hope :)). I include this > script into my pages to log IPs of visitors (they are saved info txt > file and send to e-mail later): You definitly should. There were some bugs (even in bigger applications like Coppermine f.e.) that have been introduced by clients sending manipulated ip oder hostname Strings. For the IP address simply check if it is a valid IP4 or IP6 tupel. There are checks for that. > > function getIPadress() > { > if (isset($_SERVER["HTTP_CLIENT_IP"])) > { > return $_SERVER["HTTP_CLIENT_IP"]; > } > elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) > { > return $_SERVER["HTTP_X_FORWARDED_FOR"]; > } > elseif (isset($_SERVER["HTTP_X_FORWARDED"])) > { > return $_SERVER["HTTP_X_FORWARDED"]; > } > elseif (isset($_SERVER["HTTP_FORWARDED_FOR"])) > { > return $_SERVER["HTTP_FORWARDED_FOR"]; > } > elseif (isset($_SERVER["HTTP_FORWARDED"])) > { > return $_SERVER["HTTP_FORWARDED"]; > } > else > { > return $_SERVER["REMOTE_ADDR"]; > } > } > > // save log to txt > $fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !"); > $IPAdress = getIPadress(); > fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" . > gethostbyaddr($IPAdress) . ")\n"); > fclose($fh); > > ...can this be some possible security risk (XSS or so..), becose I > does not check chars in IP adress and host name mainly. It is probably > crazy, but on the other side I think it isn't imposibble to use some > bad strings in host name. > > Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());" > or something like? Or is it nonsense? > > Thx and excuse me, if this question is too stupid :(. Br, Mir R. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Marco Behnke Dipl. Informatiker (FH), SAE Audio Engineer Diploma Zend Certified Engineer PHP 5.3 Tel.: 0174 / 9722336 e-Mail: marco@xxxxxxxxxx Softwaretechnik Behnke Heinrich-Heine-Str. 7D 21218 Seevetal http://www.behnke.biz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php