ardyandkari Posted December 3, 2008 Share Posted December 3, 2008 i am building a program that will use a lot of session and server variables... when i use a $_SERVER[] variable should i sanitize? i will be using these to put in a db. example: $foo="INSERT INTO ford_escort(people, robots) VALUES ('{".$_SERVER['REMOTE_ADDR']."}', '{".$_SESSION['username']."}')"; i know the code doesnt make any sense, but you can get the idea... wondering if it is possible to inject this way...should i say $address=(stripslashes(htmlentities(mysql_real_escape_string($_SERVER['REMOTE_ADDR'])))) for each global variable? Quote Link to comment https://forums.phpfreaks.com/topic/135401-solved-question-about-sanitation/ Share on other sites More sharing options...
premiso Posted December 3, 2008 Share Posted December 3, 2008 I do not think it is necessary to sanitize it unless you use QUERY_STRING or REFERRER. Although I know the remote_addr can be spoffed I do not think they can change it to where it can be used as sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/135401-solved-question-about-sanitation/#findComment-705238 Share on other sites More sharing options...
ardyandkari Posted December 3, 2008 Author Share Posted December 3, 2008 how is it that you can avoid a spoofed ip? i would think that it would be hard to spoof this since i am not using cookies... Quote Link to comment https://forums.phpfreaks.com/topic/135401-solved-question-about-sanitation/#findComment-705555 Share on other sites More sharing options...
premiso Posted December 4, 2008 Share Posted December 4, 2008 how is it that you can avoid a spoofed ip? i would think that it would be hard to spoof this since i am not using cookies... With proxies, networks etc it is nearly impossible. Like right now, my pc and my wife's pc show the same IP even though our internal IP is seperate. I can also use a proxy to hide my IP. So yea, IP just isn't reliable. I am unsure if they can set it to be anything, but adding the real_escape_string around it will protect you from SQL injection. Quote Link to comment https://forums.phpfreaks.com/topic/135401-solved-question-about-sanitation/#findComment-705674 Share on other sites More sharing options...
ardyandkari Posted December 4, 2008 Author Share Posted December 4, 2008 i think the thing with yours and your wife's computer is because they have the same POP (point of presence). basically, they both work through the same gateway, be it a dsl modem or cable, or what have you. the ip addr that gets noticed is the modem's, not the individual computer's. if you would go to a coffee shop that offered free wifi or to a friends and plugged in w/ the same computer, you would get a different ip address because of a different modem. regarding sanitizing, i guess safe IS better than sorry, so i will do it just in case. thanks a lot! Quote Link to comment https://forums.phpfreaks.com/topic/135401-solved-question-about-sanitation/#findComment-705703 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.