Re: Should I check imput for bad chars in this case?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Apr 26, 2012 at 2:15 PM, mirrys.net <mirrys.net@xxxxxxxxx> wrote:
> Hi all,
>
> this is more question than real problem (I hope :)). I include this
> script into my pages to log IPs of visitors (they are saved info txt
> file and send to e-mail later):
>
> function getIPadress()
> {
>    if (isset($_SERVER["HTTP_CLIENT_IP"]))
>    {
>        return $_SERVER["HTTP_CLIENT_IP"];
>    }
>    elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
>    {
>        return $_SERVER["HTTP_X_FORWARDED_FOR"];
>    }
>    elseif (isset($_SERVER["HTTP_X_FORWARDED"]))
>    {
>        return $_SERVER["HTTP_X_FORWARDED"];
>    }
>    elseif (isset($_SERVER["HTTP_FORWARDED_FOR"]))
>    {
>        return $_SERVER["HTTP_FORWARDED_FOR"];
>    }
>    elseif (isset($_SERVER["HTTP_FORWARDED"]))
>    {
>        return $_SERVER["HTTP_FORWARDED"];
>    }
>    else
>    {
>        return $_SERVER["REMOTE_ADDR"];
>    }
> }
>
> // save log to txt
> $fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !");
> $IPAdress = getIPadress();
> fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" .
> gethostbyaddr($IPAdress) . ")\n");
> fclose($fh);
>
> ...can this be some possible security risk (XSS or so..), becose I
> does not check chars in IP adress and host name mainly. It is probably
> crazy, but on the other side I think it isn't imposibble to use some
> bad strings in host name.
>
> Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());"
> or something like? Or is it nonsense?
>
> Thx and excuse me, if this question is too stupid :(. Br, Mir R.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Hi, mirrys

Why not use the function filter_input()? This would be at least show
if the value is a valid ip-address.

function getIPadress() {
	$params = array(
		"HTTP_CLIENT_IP",
		"HTTP_X_FORWARDED_FOR",
		"HTTP_X_FORWARDED",
		"HTTP_FORWARDED_FOR",
		"HTTP_FORWARDED",
		"REMOTE_ADDR"
	);
	
	foreach($params as $param) {
		if ($val = filter_input(INPUT_SERVER, $param, FILTER_VALIDATE_IP))
			return $val;
	}
	
	return false;
}

This way you could even specify "I don't want ip's out of a private
range" and stuff like that ...
http://www.php.net/manual/en/filter.filters.validate.php
http://www.php.net/manual/en/function.filter-input.php

If no valid ip-address is found you'll get false here ... depends -
may you want to give "127.0.0.1" back then ;)

Bye
Simon

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux