is this safe

[Ninjakreborn]

[code]
<?php
$insert = "INSERT INTO stats (ip, visitingurl, browser) VALUES('$_SERVER[REMOTE_ADDR]', '$_SERVER[HTTP_REFERER]', '$_SERVER[HTTP_USER_AGENT]');";
@mysql_query($insert);
?>
[/code]

[radar]

Yeah its pretty safe I Don't think you'll be arming any nuclear weapons with that code...

[Ninjakreborn]

Ok, just making sure, only one thing, it's killing the ip address. it cut's it off at the first . I guess in mysql, the . tells the database to stop.  I need to cut the .'s out of it, why is hte database like that, I mean is it the . that is cutting it off, it records the first 2 letters, then cut's off the rest.

[radar]

Have you tried using add slashes for the ip? which would (if i remember right) make your ip look like

/1/2/0/,/3/9/./3/2/5/./2/4 or something similar...

so $ip = addslashes($_SERVER[REMOTE_ADDR]);

then to remove slashes for output...

$ip = removeslashes($query['ip']);
echo $ip;

something like that might be what you are aimed at?

[Ninjakreborn]

add slashes didn't work, I will just need to write up something that will get rid of those .'s what I wanted to ask, was, is that what is causing htis, is it the dots or something else.

[effigy]

Always use MySQL's real_escape_string when putting things into MySQL.

P.S. You should use {}'s for complex variables.

[Ninjakreborn]

I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.

[AndyB]

Why would the "dots" interfere with adding the information into the database (unless you were trying to put that into a numeric string, in which case the answer is blindingly obvious). Would you expect the same "dots" in a paragraph of text to stop the text from being added?

[Ninjakreborn]

I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar

[shoz]

[quote author=businessman332211 link=topic=107006.msg428768#msg428768 date=1157492113]
I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.
[/quote]
Both $_SERVER[HTTP_REFERER] and $_SERVER[HTTP_USER_AGENT] should be treated as user input. I don't know if it's possible to manipulate the REMOTE_ADDR var but it shouldn't be assumed that it's not.

[redbullmarky]

[quote author=businessman332211 link=topic=107006.msg428815#msg428815 date=1157495021]
I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar
[/quote]
take a look at ip2long and long2ip functions. whilst it doesn't remove the need for thorough checking, i find it much safer and also takes less storage in your DB. It has been known (from my own experience) for people to be able to manipulate certain values that turn up in the $_SERVER array (by masking/altering, rather than any brute force), so best not to leave anything to chance.

[Ninjakreborn]

I will thanks for the function names.