Store IP address

eRott · September 7, 2006

I am wondering how to detect and store a users IP address in a MySQL database. Of course, the user would know this, however, I am looking to store their IP addresses as a security procedure. I want to have their IP address stored so if they were to ever do anything which goes against our TOS, I could take the appropriate action. I mainly want to know how because I am working on a form which would allow users to automatically upload videos to my website, however, if they were to upload something inappropriate, then I would be able to permanently IP ban them. Thanks.

onlyican · September 7, 2006

To get there IP

$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

Then store into the databse,
If you need any more help, let us know

HuggieBear · September 7, 2006

You can get the users IP address by using $_SERVER['REMOTE_ADDR']

However, bear in mind users can have multiple IP addresses if they get assigned to them automatically by the ISP.

Regards
Rich

[color=red]Edit: I'm too slow again[/color]

eRott · September 7, 2006

Great! Thank you both. However, how would I actually add that to the database. Would I use something like:

[code]
$ip = $_POST['$ip_adrs'];

$ip_adrs = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');
[/code]

HuggieBear · September 7, 2006

Yeah, the code looks good, although you don't need this

[code=php:0]
$ip = $_POST['$ip_adrs'];
[/code]

And the value you should be inserting into the database is $ip_adrs not $ip.

Regards
Rich

TEENFRONT · September 7, 2006

yes kinda.

$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');

id just use that. but dont forget to actually connect to your DB ( mysql_connect() ) before trying to insert something..

shoz · September 7, 2006

Note that HTTP_X_FORWARDED_FOR can be manipulated by the user and should at the very least be validated as a validly formatted address. As I've mentioned recently in another thread, I don't know if it's possible to modify the REMOTE_ADDR var but it should also be validated.

In addition to HuggyBears comment and as onlyican rightly points out, the user may be accessing the page through a proxy. Whether it be the ISP's or their own. If it's the ISP's proxy and they don't provide a X_FORWARED_FOR header you could end up banning an ISP's entire user base.

Just keep in mind that Ip Banning has drawbacks. I haven't gone into the topic that much so perhaps a search may reveal more information on the topic that would be helpful.

EDIT: The main reason for the validation comment isn't a response to TEENFRONT's post (I don't expect validation code in all responses). I mention it because it's not obvious that it should be treated as user input rather than server generated information.

eRott · September 7, 2006

Cool. thank you! Yes, I know ;D. How's this:

[code]
<? include("../header.php");?>

<?
if(isset($_POST['add']))
{
include 'lib/config.php';
include 'lib/opendb.php';

$video_name = $_POST['video_name'];
$video_src = $_POST['video_src'];
$video_author = $_POST['video_author'];
$video_description = $_POST['video_description'];
$video_type = $_POST['video_type'];
$ip_adrs = $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (video_name, video_src, video_author, video_description, video_type, ip_adrs) VALUES ('$video_name', '$video_src', '$video_author', '$video_description', '$video_type', '$ip_adrs')";
mysql_query($query) or die('Error, insert query failed');

include 'lib/closedb.php';
echo "New video added";
}
else
{
?>
<form method="post">
<table width="400" border="0" cellspacing="1" cellpadding="2">
<tr>
<td width="100">Video Name</td>
<td><input name="video_name" type="text" id="video_name"></td>
</tr>
<tr>
<td width="100">Video Source</td>
<td><input name="video_src" type="text" id="video_src"></td>
</tr>
<tr>
<td width="100">Video Author</td>
<td><input name="video_author" type="text" id="video_author"></td>
</tr>
<tr>
<td width="100">Video Description</td>
<td><input name="video_description" type="text" id="video_description"></td>
</tr>
<tr>
<td width="100">Video Type</td>
<td><input name="video_type" type="text" id="video_type"></td>
</tr>
<tr>
<td width="100"> </td>
<td> </td>
</tr>
<tr>
<td width="100"> </td>
<td><input name="add" type="submit" id="add" value="Add New Video"></td>
</tr>
</table>
</form>
<?
}
?>

<? include("../footer.php");?>
[/code]

@shoz

I understand that some people may be using proxy's, but it's really not all that important. I don't think I will ever really need to ban any IP's anyway. But you know, better safe then sorry. It's more just a precaution. But thanks. I will use the

[code]
$ip_adrs = $_SERVER['REMOTE_ADDR']
[/code]

Edit: how would I validate the IP address?

shoz · September 7, 2006

If that's the script in its entirety then you should be validating all the user input. To understand some of the security issues involved you can look at this [url=http://phpsec.org/projects/guide/]security guide[/url] as a starting point.

eRott · September 7, 2006

Well, that is just a simple script for me to use. No one else can use it. I have not begun the script which users may use to upload videos yet. That will however, be the basis. Unfortuniatly, I have just begun to use MySQL and am not very familiar with it, so if you could possibly help me out with how to validate each one of the fields in my script, that would be very appreciated and would help me out a lot. Thanks.

shoz · September 7, 2006

For validation of the ip you can use the following. The regex for this is from http://regular-expressions.info/examples.html

[code]
if (preg_match('#^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$#', $ip))
{
print 'valid';
}
else
{
print 'invalid';
}
[/code]
To only validate the other fields the basic method you'll want to use is decide what fields should have known values and which fields do not. You'll need to check the fields that should have one of a number of values against a list.

If a field should only contain specific characters use [url=http://www.php.net/preg_match]preg_match[/url] or [url=http://www.php.net/ctype]ctype[/url] functions to validate it.

Limit anything that can be limited. If the description shouldn't be more than 200 characters long, then see that it's not.

Although these don't fall into validation, these are also basic things you should do.

1) On output use for instance [url=http://www.php.net/htmlentities]htmlentities[/url] to turn special html characters to their html equivalents.

2) Use [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string[/url] to escape everything being inserted into the database.

kenwvs · September 7, 2006

Sorry to intrude here.

What do you mean by escape everything being inserted into the database, and why do we do this?

shoz · September 8, 2006

http://phpsec.org/projects/guide/3.html#3.2

Sign In

Store IP address

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information