Ninjakreborn Posted September 5, 2006 Share Posted September 5, 2006 [code]<?php$insert = "INSERT INTO stats (ip, visitingurl, browser) VALUES('$_SERVER[REMOTE_ADDR]', '$_SERVER[HTTP_REFERER]', '$_SERVER[HTTP_USER_AGENT]');";@mysql_query($insert);?>[/code] Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/ Share on other sites More sharing options...
radar Posted September 5, 2006 Share Posted September 5, 2006 Yeah its pretty safe I Don't think you'll be arming any nuclear weapons with that code... Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86684 Share on other sites More sharing options...
Ninjakreborn Posted September 5, 2006 Author Share Posted September 5, 2006 Ok, just making sure, only one thing, it's killing the ip address. it cut's it off at the first . I guess in mysql, the . tells the database to stop. I need to cut the .'s out of it, why is hte database like that, I mean is it the . that is cutting it off, it records the first 2 letters, then cut's off the rest. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86686 Share on other sites More sharing options...
radar Posted September 5, 2006 Share Posted September 5, 2006 Have you tried using add slashes for the ip? which would (if i remember right) make your ip look like/1/2/0/,/3/9/./3/2/5/./2/4 or something similar...so $ip = addslashes($_SERVER[REMOTE_ADDR]);then to remove slashes for output...$ip = removeslashes($query['ip']);echo $ip;something like that might be what you are aimed at? Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86695 Share on other sites More sharing options...
Ninjakreborn Posted September 5, 2006 Author Share Posted September 5, 2006 add slashes didn't work, I will just need to write up something that will get rid of those .'s what I wanted to ask, was, is that what is causing htis, is it the dots or something else. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86700 Share on other sites More sharing options...
effigy Posted September 5, 2006 Share Posted September 5, 2006 Always use MySQL's real_escape_string when putting things into MySQL.P.S. You should use {}'s for complex variables. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86702 Share on other sites More sharing options...
Ninjakreborn Posted September 5, 2006 Author Share Posted September 5, 2006 I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86704 Share on other sites More sharing options...
AndyB Posted September 5, 2006 Share Posted September 5, 2006 Why would the "dots" interfere with adding the information into the database (unless you were trying to put that into a numeric string, in which case the answer is blindingly obvious). Would you expect the same "dots" in a paragraph of text to stop the text from being added? Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86716 Share on other sites More sharing options...
Ninjakreborn Posted September 5, 2006 Author Share Posted September 5, 2006 I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86747 Share on other sites More sharing options...
shoz Posted September 5, 2006 Share Posted September 5, 2006 [quote author=businessman332211 link=topic=107006.msg428768#msg428768 date=1157492113]I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.[/quote]Both $_SERVER[HTTP_REFERER] and $_SERVER[HTTP_USER_AGENT] should be treated as user input. I don't know if it's possible to manipulate the REMOTE_ADDR var but it shouldn't be assumed that it's not. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86765 Share on other sites More sharing options...
redbullmarky Posted September 5, 2006 Share Posted September 5, 2006 [quote author=businessman332211 link=topic=107006.msg428815#msg428815 date=1157495021]I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar[/quote]take a look at ip2long and long2ip functions. whilst it doesn't remove the need for thorough checking, i find it much safer and also takes less storage in your DB. It has been known (from my own experience) for people to be able to manipulate certain values that turn up in the $_SERVER array (by masking/altering, rather than any brute force), so best not to leave anything to chance. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-86785 Share on other sites More sharing options...
Ninjakreborn Posted September 6, 2006 Author Share Posted September 6, 2006 I will thanks for the function names. Quote Link to comment https://forums.phpfreaks.com/topic/19816-is-this-safe/#findComment-87044 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.