Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is it necessary to validate $_SERVER['REMOTE_ADDR']?

Tags:

php

apache

cgi

assuming that php is running in web mode via cgi / mod_php / etc...

is it safe to assume that $_SERVER['REMOTE_ADDR'] will exist, and further more, that it will contain a correctly stylized (sorry, terminology may be off here...) ip (1.1.1.1 -> 255.255.255.255?)?

this is not a question regarding weather the ip contained inside $_SERVER['REMOTE_ADDR'] will be a the true ip of the client making the request, as i do understand this can be 'spoofed' by modifying the outbound tcp packets...

just simply:

a) will $_SERVER['REMOTE_ADDR'] always exist if php is ran in web mode. b) if $_SERVER['REMOTE_ADDR'] does always exist, will it always contain a properly syntaxed ip?

thanks.

like image 295
anonymous-one Avatar asked Jun 25 '11 14:06

anonymous-one

People also ask

What is $_ SERVER [' Remote_addr ']?

$_SERVER['REMOTE_ADDR'] Returns the IP address from where the user is viewing the current page. $_SERVER['REMOTE_HOST'] Returns the Host name from where the user is viewing the current page.

What is $_ SERVER [' DOCUMENT_ROOT ']?

For your question on “$_SERVER['DOCUMENT_ROOT']”, this display where the website's root is. An easy example is the include function. If you use the include function in a directory, the included file either has to be in the same directory or found using '..' which can be messy.

Can $_ SERVER Remote_addr be spoofed?

Any $_SERVER variable can be spoofed - e.g. curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip")); So it depends entirely on the context: if the attacker is expecting a response, it will go back to $ip. If they don't care about the response, they can certainly spoof the header.

1 Answers

Yes, it is always present in web mode, and since the IP address is converted from its binary representation to the textual format you're seeing, it is always valid – there is no way to specify an invalid IP in the IP header.

One more thing: Don't assume any special format unless you absolutely must deal with IP addresses. For example, IPv6 addresses are longer and contain different characters. Basically, deal with IP addresses as an opaque string.

like image 102
phihag Avatar answered Sep 29 '22 02:09

phihag
Sign in to Comment

Related questions

Will an application on PHP Yii framework with MySQL database handle an ERP solution of 20K employees?
mysql_real_escape_string deleting entire string
DI container for an object that contains an object that has injected dependency
Shortest string within same path (branch)
Send object using json
How do I get fgetcsv() in PHP to work with Japanese characters?
Long URLs with more than 4095 characters in php
Adding additional functionality to a PHP form
Traverse array as tree in php
PHP PDO cannot get OUT parameter value
Problem with mysql LIMIT and PDO
How to send SMS from my website? Only sending SMS is required, not receiving [closed]
How to get IIS6 to recognize pathinfo routes instead of returning "404 Undescribed" error?
filter_var php question
Algorithm to get all possible string combinations from array up to certain length
How do I completely disable caching in Cakephp?
Wrapping long text in CSS [duplicate]
multidimensional array array_sum
Regex $1, $2, etc
Detect if an object property is private in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!