PHP, MySQL and IP-addresses

Re: PHP, MySQL and IP-addresses

On Sat, 11 Mar 2006 09:03:03 +0100, Jørn Dahl-Stamnes wrote:[color=blue]
> I use this code to store the IP addresse:
>
> <?php
> $IP = $_SERVER['REMOTE_ADDR'];
> $query = "update mytable set ipaddr=inet_ato n('$IP') where <some code>";
> mysql_query ($query);
> ?>
>
> When I do a 'select inet_ntoa(ipadd r) from mytable' most of the
> ip-addesses shows up correctly, but one showed up as "127.255.255.25 5",
> which is meaningless. Comparing to the log, the IP-address was 195.x.x.x
>
> Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
> the actual source of the http request to my server?[/color]

$_SERVER['REMOTE_ADDR'] can be the address of a proxy (maybe in this case
an bad anonymising one). I always check if
$_SERVER["HTTP_X_FORWARD ED_FOR"] is set first (most proxies set this
header to the be the originating IP address).

Cheers,


Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

Re: PHP, MySQL and IP-addresses

Andy Jeffries wrote:
[color=blue]
> On Sat, 11 Mar 2006 09:03:03 +0100, Jørn Dahl-Stamnes wrote:[color=green]
>> I use this code to store the IP addresse:
>>
>> <?php
>> $IP = $_SERVER['REMOTE_ADDR'];
>> $query = "update mytable set ipaddr=inet_ato n('$IP') where <some
>> code>"; mysql_query ($query);
>> ?>
>>
>> When I do a 'select inet_ntoa(ipadd r) from mytable' most of the
>> ip-addesses shows up correctly, but one showed up as "127.255.255.25 5",
>> which is meaningless. Comparing to the log, the IP-address was 195.x.x.x
>>
>> Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
>> the actual source of the http request to my server?[/color]
>
> $_SERVER['REMOTE_ADDR'] can be the address of a proxy (maybe in this case
> an bad anonymising one). I always check if
> $_SERVER["HTTP_X_FORWARD ED_FOR"] is set first (most proxies set this
> header to the be the originating IP address).[/color]

I found out that it was my own test-server that genereated the
127.255.255.255 adress. But the funny thing is that if I in the php-file
added a 'echo "IP-addr.:" . $_SERVER['REMOTE_ADDR'];' it showed the correct
IP-adresse. But if I called a function from the same php file, which
updated the SQL database with my IP-address, the address had changed to
127.255.255.255 . I can't figure out why.

--
Jørn Dahl-Stamnes

Re: PHP, MySQL and IP-addresses

Jørn Dahl-Stamnes wrote:
[color=blue]
> I use this code to store the IP addresse:
>
> <?php
> $IP = $_SERVER['REMOTE_ADDR'];
> $query = "update mytable set ipaddr=inet_ato n('$IP') where <some code>";
> mysql_query ($query);
> ?>
>
> When I do a 'select inet_ntoa(ipadd r) from mytable' most of the
> ip-addesses shows up correctly, but one showed up as "127.255.255.25 5",
> which is meaningless. Comparing to the log, the IP-address was 195.x.x.x
>
> Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
> the actual source of the http request to my server?[/color]

I found the error. The ipaddr was of type "int" but should have been "int
unsigned" in order to store ip-addresses from 128.0.0.0 and above. So all
ip-addresses above 127.255.255.255 , was stored as 127.255.255.255 .

--
Jørn Dahl-Stamnes