Jump to content

Recommended Posts

Hello,

 

  I run a gaming community and i have a registration form. However im trying to get it to send the ip via to the db upon the users registration. I have been fiddiling with this for about 4 hrs now, even read various tutorials. I am in need of some seriouse help!

 

Below is the script.

 

Intention, to send the ip to the database via a hidden form on registration that will pull the new users ip.

 

And yes, i have edited the figs1.php to block my info. Im a noob with php, help would be greatly appreciated, thanks in advance.

 

Register:

<html>
<head>
<title>Registration</title>
</head>
<body>
<p align="center" class="style1"><span class="b01"> </span><br />
</p>
<form action="?op=register" method="post">
  <table width="258" border="0" align="center">
    <tr>
      <td width="107" height="20" class="b01"><strong>Login:</strong></td>
      <td width="141"><label>
        <input name="user" type="text" class="liteoption" id="user" size="15" onChange="javascript:this.value=this.value.toLowerCase();" maxlength="15" />
      </label></td>
    </tr>
    <tr>
      <td height="25" class="b01"><strong>Password:</strong></td>
      <td><input name="pass1" type="password" class="liteoption" id="pass1" size="15" maxlength="15" /></td>
    </tr>
    <tr>
      <td height="24" class="b01"><strong>Repeat Password : </strong></td>
      <td><input name="pass2" type="password" class="liteoption" id="pass2" size="15" maxlength="15" /></td>
      <td><input type="hidden" name="ipz" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>"></td>
</tr>
  </table>
  <p align="center">
    <input name="submit" type="submit" class="liteoption" value="Register" />
  </p>
</form>
<div align="center">
<?php
if(isset($_POST['submit'])) {
require('figs1.php');
if(!$_POST['user'] || !$_POST['pass1'] || !$_POST['pass2'] || !$_POST['ipz']) {
die('<strong>You Must Fill Out All Fields.<BR></strong>');
}
else {
$user = htmlspecialchars($_POST["user"]);
$pass = md5('kikugalanet' .$_POST['pass1']. '');
}
$pass2 = md5('kikugalanet' .$_POST['pass2']. '');
if(exi($user) != '0') {
die("<br />Username: '".$user."' is in use!<br />");
}
if($pass != $pass2) {
die('<strong>Passwords do not match!</strong>');
}
$nww = nw($user, $pass, $ipz); 
if ($nww){
echo("<p class='b01'><strong>Registration Success.</strong></p><br />");
}else  {
echo("<p class='b01'><strong>Registration Failed.</strong></p><br />");
}}
?>
</body>
</html>

 

 

Figs:

<?php
if(stristr($_SERVER['PHP_SELF'], "figs.php")) die('asdada'); 
$host = "";
$user = "";
$pass = "";
$db = "";

mysql_connect($host,$user,$pass) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

function nw($N, $C, $I){
  $reg = mysql_query("INSERT INTO accounts (username, password, accesslevel, ipz) VALUES( '$N', '$C', '100', '$I')")or die(mysql_error());
  return $reg;
  }
function exi($user){
$check = mysql_query("SELECT * FROM accounts WHERE username = '$user'");
$check2 = mysql_num_rows($check);
return $check2;
}
?>

Link to comment
https://forums.phpfreaks.com/topic/166207-registration-ip-issues/
Share on other sites

Why would you use a hidden field? First off that's insecure, those can be edited. All you need to do is use $_SERVER['REMOTE_ADDR'] where ever you're inserting it into the database. Because the file is still being requested by the user it'll still contain their ip.

<?php echo $_SERVER['REMOTE_ADDR']; ?>

 

Is not the real ip address if the user:

- uses a proxy

- uses shared internet

 

function getip() {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
         return $_SERVER['HTTP_CLIENT_IP']; // shared internet
    } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
         return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy
    } else {
         return $_SERVER['REMOTE_ADDR']; // directly connected to the internet
    }
}

 

I run a gaming community

 

Which one?

And dont rely on global variables. It is obvious you $ipz variable has no value

$nww = nw($user, $pass, $ipz); 

should be

$nww = nw($user, $pass, $_SERVER['REMOTE_ADDR']); 

 

Also it would be much better if your submission code was prior to any html then you can redirect the user after a successful form submission using header()

function getip() {

    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

        return $_SERVER['HTTP_CLIENT_IP']; // shared internet

    } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

        return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy

    } else {

        return $_SERVER['REMOTE_ADDR']; // directly connected to the internet

    }

}

Where are $_SERVER['HTTP_CLIENT_IP'] and $_SERVER['HTTP_X_FORWARDED_FOR'] documented?

I have never seen these in the manual.

http://us3.php.net/manual/en/reserved.variables.server.php

function getip() {

    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

        return $_SERVER['HTTP_CLIENT_IP']; // shared internet

    } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

        return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy

    } else {

        return $_SERVER['REMOTE_ADDR']; // directly connected to the internet

    }

}

Where are $_SERVER['HTTP_CLIENT_IP'] and $_SERVER['HTTP_X_FORWARDED_FOR'] documented?

I have never seen these in the manual.

http://us3.php.net/manual/en/reserved.variables.server.php

 

You can't see the wind either and yet it's there ;)

 

HTTP proxies and gateways typicallye open new TCP connections to the origin server. The Web server will see the IP address of the proxy server instead of that of the client. Some proxies attempt to work around this problem by adding special Client-Ip or X-Forwarded-For HTTP extension headers to preserve the original IP address. But not all proxies support this behavior. -- HTTP (O'Reilly)

 

Some more information about these custom headers: http://en.wikipedia.org/wiki/X-Forwarded-For

Do note that if you rely on things like HTTP_X_FORWARDED_FOR then you make IP spoofing very easy.

 

Well if you ask me you shouldn't even rely on IP anyway as REMOTE_ADDR can be surpassed by using a proxy or shared internet and the alternatives can be spoofed. IP was created for one thing and it does that well. To get information from point A to B (not the actual transfer but identifying the source and destination, and even then it also needs a MAC and port number).

 

There is one thing you can do though use it to detect ip changes for an authenticated client.

That is not what I meant with IP spoofing.

 

Say that you have the IP address 1.2.3.4, but my IP address is 4.3.2.1. I want to pretend to the system that I am you. For this purpose, being you constitutes having the IP address 1.2.3.4. I cannot obtain that IP address because you're already using it. I cannot just say I am that IP address because then I won't get the response back. However, if the system regards HTTP_X_FORWARDED_FOR as the IP address of the user then I can just give it any IP address I want. It doesn't really matter what I tell it because that is not the header the response will go back to anyway.

 

How does this apply to the real world? Say SMF uses that to determine the user's IP address. Say I am a regular member and I for some reason do not like you, so I want to get you banned. I'll create a fake account using the above spoofing method and start posting all sorts of crap and spam. Staff will likely check the IP address and see it matches yours, so you will end up getting banned with the fake account I created. Then I go back to my normal identity.

However, if the system regards HTTP_X_FORWARDED_FOR as the IP address of the user then I can just give it any IP address I want.

 

Thank you for your clear explanation of IP spoofing and I know what you mean. I already mentioned that you shouldn't rely on an IP address anyway because every option available can be fake:

1) X-Forwarded-For and Client-Ip can be given any value (spoofed).

2) Remote-Addr can't be trust either because if they are using a proxy or shared internet the address we get is incorrect.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.