Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

is this safe

Recommended Posts

[code]
<?php
$insert = "INSERT INTO stats (ip, visitingurl, browser) VALUES('$_SERVER[REMOTE_ADDR]', '$_SERVER[HTTP_REFERER]', '$_SERVER[HTTP_USER_AGENT]');";
@mysql_query($insert);
?>
[/code]

Share this post


Link to post
Share on other sites
Yeah its pretty safe I Don't think you'll be arming any nuclear weapons with that code...

Share this post


Link to post
Share on other sites
Ok, just making sure, only one thing, it's killing the ip address. it cut's it off at the first . I guess in mysql, the . tells the database to stop.  I need to cut the .'s out of it, why is hte database like that, I mean is it the . that is cutting it off, it records the first 2 letters, then cut's off the rest.

Share this post


Link to post
Share on other sites
Have you tried using add slashes for the ip? which would (if i remember right) make your ip look like

/1/2/0/,/3/9/./3/2/5/./2/4 or something similar...

so $ip = addslashes($_SERVER[REMOTE_ADDR]);

then to remove slashes for output...

$ip = removeslashes($query['ip']);
echo $ip;

something like that might be what you are aimed at?

Share this post


Link to post
Share on other sites
add slashes didn't work, I will just need to write up something that will get rid of those .'s what I wanted to ask, was, is that what is causing htis, is it the dots or something else.

Share this post


Link to post
Share on other sites
Always use MySQL's real_escape_string when putting things into MySQL.

P.S. You should use {}'s for complex variables.

Share this post


Link to post
Share on other sites
I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.

Share this post


Link to post
Share on other sites
Why would the "dots" interfere with adding the information into the database (unless you were trying to put that into a numeric string, in which case the answer is blindingly obvious). Would you expect the same "dots" in a paragraph of text to stop the text from being added?

Share this post


Link to post
Share on other sites
I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar

Share this post


Link to post
Share on other sites
[quote author=businessman332211 link=topic=107006.msg428768#msg428768 date=1157492113]
I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.
[/quote]
Both $_SERVER[HTTP_REFERER] and $_SERVER[HTTP_USER_AGENT] should be treated as user input. I don't know if it's possible to manipulate the REMOTE_ADDR var but it shouldn't be assumed that it's not.

Share this post


Link to post
Share on other sites
[quote author=businessman332211 link=topic=107006.msg428815#msg428815 date=1157495021]
I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar
[/quote]
take a look at ip2long and long2ip functions. whilst it doesn't remove the need for thorough checking, i find it much safer and also takes less storage in your DB. It has been known (from my own experience) for people to be able to manipulate certain values that turn up in the $_SERVER array (by masking/altering, rather than any brute force), so best not to leave anything to chance.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.