homepage Welcome to WebmasterWorld Guest from 54.211.73.232
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Is echo $ SERVER['REMOTE ADDR']; safe?
No injection risk?
SteveWh

5+ Year Member



 
Msg#: 3598882 posted 8:28 pm on Mar 12, 2008 (gmt 0)

I want to show visitors what their IP is. I think this code should do it:

if(isset($_SERVER['REMOTE_ADDR']) && strlen($_SERVER['REMOTE_ADDR']) > 0)
echo $_SERVER['REMOTE_ADDR'];
else
echo 'Unknown.';

register_globals is Off.

Can I trust that $_SERVER['REMOTE_ADDR'] will always be either a valid value set by the server, or blank?

I want to be sure it's impossible for a user to inject a value through the query string (or any other way) that would cause something other than the real IP to be displayed on the page.

Do I need to use anything like htmlspecialchars() or strip_tags()?

I know this won't detect proxies, but I don't want to deal with anything like HTTP_X_FORWARDED_FOR, which apparently can be easily spoofed.

I'll be satisfied with $_SERVER['REMOTE_ADDR'] as long as I know it might be right or wrong, but never maliciously spoofed.

----

Can I assume that all the various $_SERVER[] variables are always safe to use, and can't be manipulated from the outside?

 

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 11:34 pm on Mar 12, 2008 (gmt 0)

$_SERVER contains data that, in parts, is supplied by the user, though it is compiled by the server

from what I have seen I don't think REMOTE_ADDR is possible to inject anything but a spoofed ip. I would think injecting js or some such cause some issues with the routing of the request but I'm sure someone will figure something out.

I guess it depends on what you are doing with it but if you are just spitting it back at them then it shouldn't be a huge issue.

if you are writing $_SERVER data to anywhere then standard precautions should apply depending on where it is being written to.

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 1:56 pm on Mar 13, 2008 (gmt 0)

Well said. Don't trust user-supplied input. Period.

Can I assume that all the various $_SERVER[] variables are always safe to use, and can't be manipulated from the outside?

No. As stated, many are user-supplied. In the case of REMOTE_ADDR you can use a regular expression to check for an IP address. If it doesn't look like one, discard it, send an error message, log the issue, ... however you decide to handle it. Bare minimum, I strip_tags() before using htmlentities() to display the information.

surrealillusions

5+ Year Member



 
Msg#: 3598882 posted 2:02 pm on Mar 13, 2008 (gmt 0)

Jatar - if you are writing $_SERVER data to anywhere then standard precautions should apply depending on where it is being written to.

Such as what? If your writing it to a datebase, but the user is unaware that you're writing their ip address to a database on completion of a form or something. What are the standard precautions?

:)

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 2:12 pm on Mar 13, 2008 (gmt 0)

Scrubbing the data. Making sure it contains what you expect it to contain. If you are writing it back out to the browser, use the appropriate functions (see previous post).

If you are writing it to your database, use the appropriate functions such as mysql_real_escape_string [php.net] for a MySQL database.

Achernar

5+ Year Member



 
Msg#: 3598882 posted 3:02 pm on Mar 13, 2008 (gmt 0)

$_SERVER['REMOTE_ADDR'] will always be an IP address. This is one of several $_SERVER[] variables that are not fed directly by the user. The value comes from apache. The address might be faked, but it will always be in the form 127.234.56.78 .
$_SERVER['REMOTE_HOST'], to the contrary, is a value that apache gets by reverse DNSing 'REMOTE_ADDR'. I don't know if it does some sanity checks on it. 'REMOTE_HOST' is only available if "HostnameLookups" is set to "on" in apache's configuration.

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 6:12 pm on Mar 13, 2008 (gmt 0)

The address might be faked

... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.

'REMOTE_HOST' is only available if "HostnameLookups" is set to "on" in apache's configuration.

This is not entirely true. But don't feel bad, there are very few people that realize if you use Allow [httpd.apache.org]/Deny directives with a partial domain-name match Apache will indeed populate the REMOTE_HOST environment variable, regardless of the setting of the HostnameLookups directive. This happens because it causes Apache to perform a double reverse DNS lookup on the client IP address.

Achernar

5+ Year Member



 
Msg#: 3598882 posted 6:50 pm on Mar 13, 2008 (gmt 0)

The address might be faked

... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.

Fake IP. So what? It would still be available in this form. It is extracted by apache from the network layer. There is no danger at all to display it, or store it as-is in a database.

This is not entirely true. But don't feel bad

I don't feel bad. I know perfectly well that this option can be activated by other settings. The point is that we were not discussing apache configuration.

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 7:08 pm on Mar 13, 2008 (gmt 0)

Seems I offended you in some way here, not my intention. I am just trying to remind folks to be security-conscious when programming. It is best to form a habit keeping in mind that user-supplied data cannot be trusted.

SteveWh

5+ Year Member



 
Msg#: 3598882 posted 6:26 pm on Mar 14, 2008 (gmt 0)

Thanks to everyone who replied with so much useful info in this discussion.

The mistake I apparently made was assuming, without thinking about it, that the server has an independent means of knowing the remote IP, sort of like Caller ID. But if I understand correctly now, it doesn't. It's sent as part of the request. It's almost always reliable because the requestor can't get a page back if it provides the wrong IP or injection data where the IP should be. But a malicious requestor might not care about getting a page back. Without looking at the Apache source code, I'd bet that it does some validity checking before assigning the value to REMOTE_ADDR, but I won't count on that.

On closer examination, a number of the $_SERVER variables are similarly user-supplied. If I'd entered into this with my attention focused on HTTP_USER_AGENT, for example, I would have known right away that some of these can't be trusted because I've spoofed that on occasion myself.

So I took this opportunity to get introduced to data scrubbing, which I haven't needed to do until now, and came up with this (comments and criticism welcome):


if(isset($_SERVER['REMOTE_ADDR']) &&
(strlen($_SERVER['REMOTE_ADDR']) > 0) &&
(ereg('[^0-9\.]', $_SERVER['REMOTE_ADDR']) === false))
{
// This variation should be bulletproof, but ereg has already rejected input
// containing anything except numerals and periods, so it's also unnecessary.
// echo htmlentities(strip_tags($_SERVER['REMOTE_ADDR']), ENT_QUOTES);
// Thus, this should do.
echo $_SERVER['REMOTE_ADDR']);
}
else
echo 'Unknown';

whoisgregg

WebmasterWorld Senior Member whoisgregg us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3598882 posted 6:53 pm on Mar 14, 2008 (gmt 0)

independent means of knowing the remote IP, sort of like Caller ID.

Caller ID is provided by the calling party and can also be spoofed. There's a good article about it on wikipedia if anyone is interested in learning about it.

SteveWh

5+ Year Member



 
Msg#: 3598882 posted 10:47 pm on Mar 14, 2008 (gmt 0)

Caller ID is provided by the calling party and can also be spoofed.

LOL, I didn't know that. Was just looking for an analogy. I've never had Caller ID, and was only guessing it was provided by the phone company.

Achernar

5+ Year Member



 
Msg#: 3598882 posted 11:41 pm on Mar 14, 2008 (gmt 0)

$_SERVER['REMOTE_ADDR'] will always be an IP address.
The client can spoof it, but only as another IP address. This is a string only containing digits and dots.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved