Breedlove: php - XSS attack in client's IP address -

Wednesday 15 February 2012

php - XSS attack in client's IP address -

i want count unique visitors on webpage. client's ip using next function:

$ipaddress = '';     if ($_server['http_client_ip'])         $ipaddress = $_server['http_client_ip'];     else if($_server['http_x_forwarded_for'])         $ipaddress = $_server['http_x_forwarded_for'];     else if($_server['http_x_forwarded'])         $ipaddress = $_server['http_x_forwarded'];     else if($_server['http_forwarded_for'])         $ipaddress = $_server['http_forwarded_for'];     else if($_server['http_forwarded'])         $ipaddress = $_server['http_forwarded'];     else if($_server['remote_addr'])         $ipaddress = $_server['remote_addr'];     else         $ipaddress = 'unknown';      homecoming $ipaddress;

should phone call htmlspecialchars() function on it, before inserting database? have heard possible manipulate headers , alter ip address add together xss or sql injection (i phone call real_escape_string() function) attack.

considering info type you're expecting ip, should validate specific info type add together next code

if(filter_var($ipaddress, filter_validate_ip)) homecoming $ipaddress; else homecoming "unknown";

this validates it's actual ip no sql injection attack vectors or xss pass through it.

php security ip xss htmlspecialchars

Breedlove

Wednesday 15 February 2012

php - XSS attack in client's IP address -

No comments:

Post a Comment