$_SERVER['REMOTE_ADDR'] and sql injection

Prev: In what scenario an extension of a class is useful?
Next: Problem with ssh2_connect

From: "Tanel Tammik" on 23 Jun 2010 03:13

---

I was wondering, if there is a chance to manipulate the data this variable
holds?

Br
Tanel

"Rene Veerman" <rene7705(a)gmail.com> wrote in message
news:AANLkTikWLdEuCXkRU-4nI4peT5lq_5Cc_VSTnWRtxBJM(a)mail.gmail.com...
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.
>
> On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik <keevitaja(a)gmail.com> wrote:
>> Hi,
>>
>> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql
>> queries?
>>
>> Br
>> Tanel
>>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
>
> --
> ---------------------------------
> Greetings from Rene7705,
>
> My free open source webcomponents:
> http://code.google.com/u/rene7705/
> http://mediabeez.ws/downloads (and demos)
>
> My music (i'm DJ firesnake)
> http://mediabeez.ws/music
>
> http://www.facebook.com/rene7705
> ---------------------------------

From: Michael Shadle on 23 Jun 2010 03:17

---

On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7705(a)gmail.com> wrote:
> unlikely. it's a apache delivered ip address.. very little chance of
> insert vulnerabilities, imho.

still, the overhead for a db escape is better than your site being trashed.

also, you could look at converting the IP to an INT(10) (at least for
IPv4) and save

ip in string - 123.456.789.123 - up to 15 bytes - varchar(15)
ip in integer format - 4 bytes - int(10)

I've done this on a variety of projects. Arjen even mentions it back in 2005:

http://arjen-lentz.livejournal.com/44290.html

It does make things a bit harder to read, and at one point I did get
different results when calculating it in PHP vs. MySQL (I forget when
and how, and haven't seen the issue again) but if you're looking for
IP ranges it can come in handy too - integer math is much cleaner than
IP address math :)

From: "Tommy Pham" on 23 Jun 2010 04:01

---

> -----Original Message-----
> From: Michael Shadle [mailto:mike503(a)gmail.com]
> Sent: Wednesday, June 23, 2010 12:17 AM
> To: Rene Veerman
> Cc: Tanel Tammik; php-general(a)lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7705(a)gmail.com>
> wrote:
> > unlikely. it's a apache delivered ip address.. very little chance of
> > insert vulnerabilities, imho.
>
> still, the overhead for a db escape is better than your site being trashed.
>
> also, you could look at converting the IP to an INT(10) (at least for
> IPv4) and save
>
> ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) ip in integer format
> - 4 bytes - int(10)
>

If you're going to implement this, then it's better to implement the conversion in the backend DB (via SP or UDF). So you can always use MySQL query browser or the command line to run queries or other methods depending on your access to the DB, especially if you need to find that malicious IP address quickly ;)

Regards,
Tommy

> I've done this on a variety of projects. Arjen even mentions it back in 2005:
>
> http://arjen-lentz.livejournal.com/44290.html
>
> It does make things a bit harder to read, and at one point I did get different
> results when calculating it in PHP vs. MySQL (I forget when and how, and
> haven't seen the issue again) but if you're looking for IP ranges it can come in
> handy too - integer math is much cleaner than IP address math :)

From: Michael Shadle on 23 Jun 2010 04:06

---

On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham <tommyhp2(a)gmail.com> wrote:

> If you're going to implement this, then it's better to implement the conversion in the backend DB (via SP or UDF).  So you can always use MySQL query browser or the command line to run queries or other methods depending on your access to the DB, especially if you need to find that malicious IP address quickly ;)

-1 for complicating mysql setups :)

From: "Tommy Pham" on 23 Jun 2010 04:12

---

> -----Original Message-----
> From: Michael Shadle [mailto:mike503(a)gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general(a)lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham <tommyhp2(a)gmail.com>
> wrote:
>
> > If you're going to implement this, then it's better to implement the
> conversion in the backend DB (via SP or UDF). So you can always use MySQL
> query browser or the command line to run queries or other methods
> depending on your access to the DB, especially if you need to find that
> malicious IP address quickly ;)
>
> -1 for complicating mysql setups :)

Then I presume that your firewall, servers, and application is test proven 'bulletproof'? :-P

Regards,
Tommy

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: In what scenario an extension of a class is useful?
Next: Problem with ssh2_connect