Jump to content


Photo

is this safe


  • Please log in to reply
11 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 09:06 PM

<?php
$insert = "INSERT INTO stats (ip, visitingurl, browser) VALUES('$_SERVER[REMOTE_ADDR]', '$_SERVER[HTTP_REFERER]', '$_SERVER[HTTP_USER_AGENT]');";
@mysql_query($insert);
?>

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 radar

radar
  • Members
  • PipPipPip
  • Advanced Member
  • 645 posts
  • LocationSLC

Posted 05 September 2006 - 09:20 PM

Yeah its pretty safe I Don't think you'll be arming any nuclear weapons with that code...

#3 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 09:21 PM

Ok, just making sure, only one thing, it's killing the ip address. it cut's it off at the first . I guess in mysql, the . tells the database to stop.  I need to cut the .'s out of it, why is hte database like that, I mean is it the . that is cutting it off, it records the first 2 letters, then cut's off the rest.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#4 radar

radar
  • Members
  • PipPipPip
  • Advanced Member
  • 645 posts
  • LocationSLC

Posted 05 September 2006 - 09:28 PM

Have you tried using add slashes for the ip? which would (if i remember right) make your ip look like

/1/2/0/,/3/9/./3/2/5/./2/4 or something similar...

so $ip = addslashes($_SERVER[REMOTE_ADDR]);

then to remove slashes for output...

$ip = removeslashes($query['ip']);
echo $ip;

something like that might be what you are aimed at?

#5 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 09:33 PM

add slashes didn't work, I will just need to write up something that will get rid of those .'s what I wanted to ask, was, is that what is causing htis, is it the dots or something else.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#6 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 05 September 2006 - 09:33 PM

Always use MySQL's real_escape_string when putting things into MySQL.

P.S. You should use {}'s for complex variables.
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#7 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 09:35 PM

I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#8 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 05 September 2006 - 09:50 PM

Why would the "dots" interfere with adding the information into the database (unless you were trying to put that into a numeric string, in which case the answer is blindingly obvious). Would you expect the same "dots" in a paragraph of text to stop the text from being added?
Legend has it that reading the manual never killed anyone.
My site

#9 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 10:23 PM

I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#10 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 05 September 2006 - 11:00 PM

I normally do when I do database entries, I didn't think it was necessary for the ip, but I think your right, better safe than sorry.

Both $_SERVER[HTTP_REFERER] and $_SERVER[HTTP_USER_AGENT] should be treated as user input. I don't know if it's possible to manipulate the REMOTE_ADDR var but it shouldn't be assumed that it's not.

#11 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 05 September 2006 - 11:39 PM

I noticed that, I felt pretty stupid so I didn't say anything else in the post, I had it set to integer, instead of varchar

take a look at ip2long and long2ip functions. whilst it doesn't remove the need for thorough checking, i find it much safer and also takes less storage in your DB. It has been known (from my own experience) for people to be able to manipulate certain values that turn up in the $_SERVER array (by masking/altering, rather than any brute force), so best not to leave anything to chance.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#12 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 06 September 2006 - 12:40 PM

I will thanks for the function names.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users