$_SERVER contains data that, in parts, is supplied by the user, though it is compiled by the server

from what I have seen I don't think REMOTE_ADDR is possible to inject anything but a spoofed ip. I would think injecting js or some such cause some issues with the routing of the request but I'm sure someone will figure something out.

I guess it depends on what you are doing with it but if you are just spitting it back at them then it shouldn't be a huge issue.

if you are writing $_SERVER data to anywhere then standard precautions should apply depending on where it is being written to.

Well said. Don't trust user-supplied input. Period.

Can I assume that all the various $_SERVER[] variables are always safe to use, and can't be manipulated from the outside?

No. As stated, many are user-supplied. In the case of REMOTE_ADDR you can use a regular expression to check for an IP address. If it doesn't look like one, discard it, send an error message, log the issue, ... however you decide to handle it. Bare minimum, I strip_tags() before using htmlentities() to display the information.

Jatar - if you are writing $_SERVER data to anywhere then standard precautions should apply depending on where it is being written to.

Such as what? If your writing it to a datebase, but the user is unaware that you're writing their ip address to a database on completion of a form or something. What are the standard precautions?

:)

Scrubbing the data. Making sure it contains what you expect it to contain. If you are writing it back out to the browser, use the appropriate functions (see previous post).

If you are writing it to your database, use the appropriate functions such as mysql_real_escape_string [php.net] for a MySQL database.

$_SERVER['REMOTE_ADDR'] will always be an IP address. This is one of several $_SERVER[] variables that are not fed directly by the user. The value comes from apache. The address might be faked, but it will always be in the form 127.234.56.78 .
$_SERVER['REMOTE_HOST'], to the contrary, is a value that apache gets by reverse DNSing 'REMOTE_ADDR'. I don't know if it does some sanity checks on it. 'REMOTE_HOST' is only available if "HostnameLookups" is set to "on" in apache's configuration.

The address might be faked

... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.

'REMOTE_HOST' is only available if "HostnameLookups" is set to "on" in apache's configuration.

This is not entirely true. But don't feel bad, there are very few people that realize if you use Allow [httpd.apache.org]/Deny directives with a partial domain-name match Apache will indeed populate the

REMOTE_HOST

environment variable, regardless of the setting of the HostnameLookups directive. This happens because it causes Apache to perform a double reverse DNS lookup on the client IP address.

The address might be faked

... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.

Fake IP. So what? It would still be available in this form. It is extracted by apache from the network layer. There is no danger at all to display it, or store it as-is in a database.

This is not entirely true. But don't feel bad

I don't feel bad. I know perfectly well that this option can be activated by other settings. The point is that we were not discussing apache configuration.

Seems I offended you in some way here, not my intention. I am just trying to remind folks to be security-conscious when programming. It is best to form a habit keeping in mind that user-supplied data cannot be trusted.

Thanks to everyone who replied with so much useful info in this discussion.

The mistake I apparently made was assuming, without thinking about it, that the server has an independent means of knowing the remote IP, sort of like Caller ID. But if I understand correctly now, it doesn't. It's sent as part of the request. It's almost always reliable because the requestor can't get a page back if it provides the wrong IP or injection data where the IP should be. But a malicious requestor might not care about getting a page back. Without looking at the Apache source code, I'd bet that it does some validity checking before assigning the value to REMOTE_ADDR, but I won't count on that.

On closer examination, a number of the $_SERVER variables are similarly user-supplied. If I'd entered into this with my attention focused on HTTP_USER_AGENT, for example, I would have known right away that some of these can't be trusted because I've spoofed that on occasion myself.

So I took this opportunity to get introduced to data scrubbing, which I haven't needed to do until now, and came up with this (comments and criticism welcome):

if(isset($_SERVER['REMOTE_ADDR']) &&  
(strlen($_SERVER['REMOTE_ADDR']) > 0) &&  
(ereg('[^0-9\.]', $_SERVER['REMOTE_ADDR']) === false)) 
{ 
// This variation should be bulletproof, but ereg has already rejected input 
// containing anything except numerals and periods, so it's also unnecessary. 
// echo htmlentities(strip_tags($_SERVER['REMOTE_ADDR']), ENT_QUOTES); 
// Thus, this should do. 
echo $_SERVER['REMOTE_ADDR']); 
} 
else 
 echo 'Unknown'; 

independent means of knowing the remote IP, sort of like Caller ID.

Caller ID is provided by the calling party and can also be spoofed. There's a good article about it on wikipedia if anyone is interested in learning about it.

Caller ID is provided by the calling party and can also be spoofed.

LOL, I didn't know that. Was just looking for an analogy. I've never had Caller ID, and was only guessing it was provided by the phone company.

$_SERVER['REMOTE_ADDR'] will always be an IP address.
The client can spoof it, but only as another IP address. This is a string only containing digits and dots.