homepage Welcome to WebmasterWorld Guest from 54.226.43.155
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Accessibility and Usability
Forum Library, Charter, Moderators: ergophobe

Accessibility and Usability Forum

    
Blocking Users with No IP Address
Bad idea?
dougmcc1




msg:3809155
 1:42 am on Dec 17, 2008 (gmt 0)

Is it a bad idea to block users with no IP address from accessing my website?

I'm getting some registrations from spammers who don't have IP addresses and I figured it would be easier to block all users with no IP than blocking each of these usernames one by one.

Are there many legitimate users that won't have an IP address for good reasons?

 

jdMorgan




msg:3809158
 1:53 am on Dec 17, 2008 (gmt 0)

Something's wrong with your reporting software, there. If no IP address is provided with a TCP/IP request, then your server cannot send anything back to the requester. Therefore, "registration" would be quite impossible.

In fact, they wouldn't even be able to view your site or any other -- They could not receive anything from the servers. The HTTP protocol cannot work if no IP address is provided at the TCP/IP level.

Jim

dougmcc1




msg:3809254
 5:03 am on Dec 17, 2008 (gmt 0)

Thanks for the reply, Jim.

I thought it was really strange, too. I don't know if it makes any difference but I assume they're using a bot to send requests to my registration script rather than actually visiting my website through a browser.

I added some PHP code to collect their IP address and then I banned all users who don't have an IP which essentially are just the few spammer registrations.

But now they started signing up with IP addresses so I added functionality to allow me to ban the IP addresses they're using.

Anyway, whether they do or dont have an IP I should be able to control their access now. Still, it is kind of wierd that the script wasn't capturing their IP. Here's the script:

function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}

Thanks again.

[edited by: jatar_k at 4:06 pm (utc) on Dec. 17, 2008]
[edit reason] added code [/edit]

dougmcc1




msg:3809635
 5:24 pm on Dec 17, 2008 (gmt 0)

It seems they are actually still signing up without an IP address. It's going to be a real pain if I have to ban their multiple usernames every single day manually.

Is the script I found missing something or are they masking their IP somehow?

I also don't understand how they're able to register since I have additional code that doesn't add new users to the database unless they have an ip address. In fact, I also have an include in all of my pages that doesn't even allow access to my site if no IP is detected.

Do you think they're bypassing my registration script and somehow sending a query directly to my database?

enigma1




msg:3809667
 6:01 pm on Dec 17, 2008 (gmt 0)

Perhaps you should fix your code. Return the IP from the $_SERVER['REMOTE_ADDR'] only. Also check the $_SERVER['HTTP_CLIENT_IP'], HTTP_X... etc for addresses but if one of these parameters is set, it means a proxy and so you should block the page access. There is no point allowing accesses to customers or even bots behind known proxies. Something like that could hurt your site in many different ways.

And avoid using permanent bans to ips.

PS: The bug in your code, is that someone could setup the HTTP_CLIENT_IP or HTTP_X... header vars on purpose (which some space chars) in which case your code returns an invalid IP.

jdMorgan




msg:3809679
 6:19 pm on Dec 17, 2008 (gmt 0)

Yes REMOTE_ADDR is the correct variable, and trying to use HTTP_CLIENT_IP is the likely cause of the failures to detect an IP address; As I said, "Something's wrong with your reporting software, there."

Again, it is impossible to use HTTP if a sending client doesn't send a valid and correct IP address in outgoing TCP/IP packets because as a result, server replies cannot be routed back to the sender. The IP address is added by the sender's TCP/IP stack, and any packet with an invalid or incorrect sender IP address cannot be replied-to. The TCP/IP protocol is the lower-level protocol upon which HTTP connections depend, and HTTP cannot work if improper TCP/IP packets are received.

Jim

dougmcc1




msg:3810623
 7:29 pm on Dec 18, 2008 (gmt 0)

Thanks for the tips, guys. I reduced my code to the following:

$ip=$_SERVER['REMOTE_ADDR'];
if(!$ip) {
die("Your access to our website has been disabled.");
}

Yet still they are able to register. I'm inserting their ip address into my database at the time of registration and sometimes their spam signups show an IP and sometimes it doesnt which is hard to believe considering the code above should be preventing them from even viewing my website.

Any other ideas? Thanks again for your help.

brotherhood of LAN




msg:3852969
 7:39 am on Feb 19, 2009 (gmt 0)

if(!isset($_SERVER['REMOTE_ADDR']) !trim($_SERVER['REMOTE_ADDR'])) {
die("Your access to our website has been disabled.");
}

you'd need to replace the broken ¦ with the pipe character.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Accessibility and Usability
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved