Extinct Posted July 16, 2009 Share Posted July 16, 2009 Hello, I run a gaming community and i have a registration form. However im trying to get it to send the ip via to the db upon the users registration. I have been fiddiling with this for about 4 hrs now, even read various tutorials. I am in need of some seriouse help! Below is the script. Intention, to send the ip to the database via a hidden form on registration that will pull the new users ip. And yes, i have edited the figs1.php to block my info. Im a noob with php, help would be greatly appreciated, thanks in advance. Register: <html> <head> <title>Registration</title> </head> <body> <p align="center" class="style1"><span class="b01"> </span><br /> </p> <form action="?op=register" method="post"> <table width="258" border="0" align="center"> <tr> <td width="107" height="20" class="b01"><strong>Login:</strong></td> <td width="141"><label> <input name="user" type="text" class="liteoption" id="user" size="15" onChange="javascript:this.value=this.value.toLowerCase();" maxlength="15" /> </label></td> </tr> <tr> <td height="25" class="b01"><strong>Password:</strong></td> <td><input name="pass1" type="password" class="liteoption" id="pass1" size="15" maxlength="15" /></td> </tr> <tr> <td height="24" class="b01"><strong>Repeat Password : </strong></td> <td><input name="pass2" type="password" class="liteoption" id="pass2" size="15" maxlength="15" /></td> <td><input type="hidden" name="ipz" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>"></td> </tr> </table> <p align="center"> <input name="submit" type="submit" class="liteoption" value="Register" /> </p> </form> <div align="center"> <?php if(isset($_POST['submit'])) { require('figs1.php'); if(!$_POST['user'] || !$_POST['pass1'] || !$_POST['pass2'] || !$_POST['ipz']) { die('<strong>You Must Fill Out All Fields.<BR></strong>'); } else { $user = htmlspecialchars($_POST["user"]); $pass = md5('kikugalanet' .$_POST['pass1']. ''); } $pass2 = md5('kikugalanet' .$_POST['pass2']. ''); if(exi($user) != '0') { die("<br />Username: '".$user."' is in use!<br />"); } if($pass != $pass2) { die('<strong>Passwords do not match!</strong>'); } $nww = nw($user, $pass, $ipz); if ($nww){ echo("<p class='b01'><strong>Registration Success.</strong></p><br />"); }else { echo("<p class='b01'><strong>Registration Failed.</strong></p><br />"); }} ?> </body> </html> Figs: <?php if(stristr($_SERVER['PHP_SELF'], "figs.php")) die('asdada'); $host = ""; $user = ""; $pass = ""; $db = ""; mysql_connect($host,$user,$pass) or die(mysql_error()); mysql_select_db($db) or die(mysql_error()); function nw($N, $C, $I){ $reg = mysql_query("INSERT INTO accounts (username, password, accesslevel, ipz) VALUES( '$N', '$C', '100', '$I')")or die(mysql_error()); return $reg; } function exi($user){ $check = mysql_query("SELECT * FROM accounts WHERE username = '$user'"); $check2 = mysql_num_rows($check); return $check2; } ?> Quote Link to comment Share on other sites More sharing options...
Alex Posted July 16, 2009 Share Posted July 16, 2009 Why would you use a hidden field? First off that's insecure, those can be edited. All you need to do is use $_SERVER['REMOTE_ADDR'] where ever you're inserting it into the database. Because the file is still being requested by the user it'll still contain their ip. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 16, 2009 Share Posted July 16, 2009 <?php echo $_SERVER['REMOTE_ADDR']; ?> Is not the real ip address if the user: - uses a proxy - uses shared internet function getip() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; // shared internet } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy } else { return $_SERVER['REMOTE_ADDR']; // directly connected to the internet } } I run a gaming community Which one? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted July 16, 2009 Share Posted July 16, 2009 And dont rely on global variables. It is obvious you $ipz variable has no value $nww = nw($user, $pass, $ipz); should be $nww = nw($user, $pass, $_SERVER['REMOTE_ADDR']); Also it would be much better if your submission code was prior to any html then you can redirect the user after a successful form submission using header() Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted July 16, 2009 Share Posted July 16, 2009 function getip() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; // shared internet } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy } else { return $_SERVER['REMOTE_ADDR']; // directly connected to the internet } } Where are $_SERVER['HTTP_CLIENT_IP'] and $_SERVER['HTTP_X_FORWARDED_FOR'] documented? I have never seen these in the manual. http://us3.php.net/manual/en/reserved.variables.server.php Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted July 16, 2009 Share Posted July 16, 2009 You should store the IP address as an unsigned integer, not as a string. You can use MySQL's INET_NTOA() and INET_ATON() functions or PHP's ip2long and long2ip functions. I would recommend MySQL's functions. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 function getip() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; // shared internet } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; // behind a proxy } else { return $_SERVER['REMOTE_ADDR']; // directly connected to the internet } } Where are $_SERVER['HTTP_CLIENT_IP'] and $_SERVER['HTTP_X_FORWARDED_FOR'] documented? I have never seen these in the manual. http://us3.php.net/manual/en/reserved.variables.server.php You can't see the wind either and yet it's there HTTP proxies and gateways typicallye open new TCP connections to the origin server. The Web server will see the IP address of the proxy server instead of that of the client. Some proxies attempt to work around this problem by adding special Client-Ip or X-Forwarded-For HTTP extension headers to preserve the original IP address. But not all proxies support this behavior. -- HTTP (O'Reilly) Some more information about these custom headers: http://en.wikipedia.org/wiki/X-Forwarded-For Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted July 19, 2009 Share Posted July 19, 2009 Do note that if you rely on things like HTTP_X_FORWARDED_FOR then you make IP spoofing very easy. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 Do note that if you rely on things like HTTP_X_FORWARDED_FOR then you make IP spoofing very easy. Well if you ask me you shouldn't even rely on IP anyway as REMOTE_ADDR can be surpassed by using a proxy or shared internet and the alternatives can be spoofed. IP was created for one thing and it does that well. To get information from point A to B (not the actual transfer but identifying the source and destination, and even then it also needs a MAC and port number). There is one thing you can do though use it to detect ip changes for an authenticated client. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted July 19, 2009 Share Posted July 19, 2009 That is not what I meant with IP spoofing. Say that you have the IP address 1.2.3.4, but my IP address is 4.3.2.1. I want to pretend to the system that I am you. For this purpose, being you constitutes having the IP address 1.2.3.4. I cannot obtain that IP address because you're already using it. I cannot just say I am that IP address because then I won't get the response back. However, if the system regards HTTP_X_FORWARDED_FOR as the IP address of the user then I can just give it any IP address I want. It doesn't really matter what I tell it because that is not the header the response will go back to anyway. How does this apply to the real world? Say SMF uses that to determine the user's IP address. Say I am a regular member and I for some reason do not like you, so I want to get you banned. I'll create a fake account using the above spoofing method and start posting all sorts of crap and spam. Staff will likely check the IP address and see it matches yours, so you will end up getting banned with the fake account I created. Then I go back to my normal identity. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 However, if the system regards HTTP_X_FORWARDED_FOR as the IP address of the user then I can just give it any IP address I want. Thank you for your clear explanation of IP spoofing and I know what you mean. I already mentioned that you shouldn't rely on an IP address anyway because every option available can be fake: 1) X-Forwarded-For and Client-Ip can be given any value (spoofed). 2) Remote-Addr can't be trust either because if they are using a proxy or shared internet the address we get is incorrect. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 2) Remote-Addr can't be trust either because if they are using a proxy or shared internet the address we get is incorrect. Granted it can't be spoofed, I guess. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.