Jump to content


Photo

Store IP address


  • Please log in to reply
12 replies to this topic

#1 eRott

eRott
  • Members
  • PipPipPip
  • Advanced Member
  • 206 posts
  • LocationToronto, ON

Posted 07 September 2006 - 09:16 PM

I am wondering how to detect and store a users IP address in a MySQL database. Of course, the user would know this, however, I am looking to store their IP addresses as a security procedure. I want to have their IP address stored so if they were to ever do anything which goes against our TOS, I could take the appropriate action. I mainly want to know how because I am working on a form which would allow users to automatically upload videos to my website, however, if they were to upload something inappropriate, then I would be able to permanently IP ban them. Thanks.

#2 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 07 September 2006 - 09:22 PM

To get there IP

$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

Then store into the databse,
If you need any more help, let us know
Tell me the problem, I will try tell you the solution

#3 HuggieBear

HuggieBear
  • Members
  • PipPipPip
  • Advanced Member
  • 1,899 posts
  • LocationEngland, UK

Posted 07 September 2006 - 09:26 PM

You can get the users IP address by using $_SERVER['REMOTE_ADDR']

However, bear in mind users can have multiple IP addresses if they get assigned to them automatically by the ISP.

Regards
Rich

Edit: I'm too slow again
Advice to MySQL users: Get phpMyAdmin and test your queries work there first, take half the hassle out of diagnosis, also check the reserved words list.

Links: PHP Docs :: RegEx's :: MySQL :: DevGuru :: w3schools

#4 eRott

eRott
  • Members
  • PipPipPip
  • Advanced Member
  • 206 posts
  • LocationToronto, ON

Posted 07 September 2006 - 09:33 PM

Great! Thank you both. However, how would I actually add that to the database. Would I use something like:

$ip = $_POST['$ip_adrs'];

$ip_adrs = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');


#5 HuggieBear

HuggieBear
  • Members
  • PipPipPip
  • Advanced Member
  • 1,899 posts
  • LocationEngland, UK

Posted 07 September 2006 - 09:36 PM

Yeah, the code looks good, although you don't need this

$ip = $_POST['$ip_adrs'];

And the value you should be inserting into the database is $ip_adrs not $ip.

Regards
Rich
Advice to MySQL users: Get phpMyAdmin and test your queries work there first, take half the hassle out of diagnosis, also check the reserved words list.

Links: PHP Docs :: RegEx's :: MySQL :: DevGuru :: w3schools

#6 TEENFRONT

TEENFRONT
  • Members
  • PipPipPip
  • Advanced Member
  • 338 posts

Posted 07 September 2006 - 09:37 PM

yes kinda.


$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');


id just use that. but dont forget to actually connect to your DB ( mysql_connect() ) before trying to insert something..

Teenfront.co.uk : Free Teen Chat -  FunkySmileys.co.uk : MSN Smileys -  ArcadeMonkey.co.uk : Free Flash Games
8Baller.co.uk : Free Multiplayer Pool [url=http://8Baller.co.uk]

#7 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 09:39 PM

Note that HTTP_X_FORWARDED_FOR can be manipulated by the user and should at the very least be validated as a validly formatted address. As I've mentioned recently in another thread, I don't know if it's possible to modify the REMOTE_ADDR var but it should also be validated.

In addition to HuggyBears comment and as onlyican rightly points out, the user may be accessing the page through a proxy. Whether it be the ISP's or their own. If it's the ISP's proxy and they don't provide a X_FORWARED_FOR header you could end up banning an ISP's entire user base.

Just keep in mind that Ip Banning has drawbacks. I haven't gone into the topic that much so perhaps a search may reveal more information on the topic that would be helpful.

EDIT: The main reason for the validation comment isn't a response to TEENFRONT's post (I don't expect validation code in all responses). I mention it because it's not obvious that it should be treated as user input rather than server generated information.

#8 eRott

eRott
  • Members
  • PipPipPip
  • Advanced Member
  • 206 posts
  • LocationToronto, ON

Posted 07 September 2006 - 09:45 PM

Cool. thank you! Yes, I know ;D. How's this:

<? include("../header.php");?>

<?
if(isset($_POST['add']))
{
include 'lib/config.php';
include 'lib/opendb.php';

$video_name = $_POST['video_name'];
$video_src = $_POST['video_src'];
$video_author = $_POST['video_author'];
$video_description = $_POST['video_description'];
$video_type = $_POST['video_type'];
$ip_adrs = $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (video_name, video_src, video_author, video_description, video_type, ip_adrs) VALUES ('$video_name', '$video_src', '$video_author', '$video_description', '$video_type', '$ip_adrs')";
mysql_query($query) or die('Error, insert query failed');

include 'lib/closedb.php';
echo "New video added";
}
else
{
?>
<form method="post">
<table width="400" border="0" cellspacing="1" cellpadding="2">
<tr> 
<td width="100">Video Name</td>
<td><input name="video_name" type="text" id="video_name"></td>
</tr>
<tr> 
<td width="100">Video Source</td>
<td><input name="video_src" type="text" id="video_src"></td>
</tr>
<tr> 
<td width="100">Video Author</td>
<td><input name="video_author" type="text" id="video_author"></td>
</tr>
<tr> 
<td width="100">Video Description</td>
<td><input name="video_description" type="text" id="video_description"></td>
</tr>
<tr> 
<td width="100">Video Type</td>
<td><input name="video_type" type="text" id="video_type"></td>
</tr>
<tr> 
<td width="100">&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr> 
<td width="100">&nbsp;</td>
<td><input name="add" type="submit" id="add" value="Add New Video"></td>
</tr>
</table>
</form>
<?
}
?>

<? include("../footer.php");?>

@shoz

I understand that some people may be using proxy's, but it's really not all that important. I don't think I will ever really need to ban any IP's anyway. But you know, better safe then sorry. It's more just a precaution. But thanks. I will use the

$ip_adrs = $_SERVER['REMOTE_ADDR']

Edit: how would I validate the IP address?

#9 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 09:50 PM

If that's the script in its entirety then you should be validating all the user input. To understand some of the security issues involved you can look at this security guide as a starting point.

#10 eRott

eRott
  • Members
  • PipPipPip
  • Advanced Member
  • 206 posts
  • LocationToronto, ON

Posted 07 September 2006 - 09:56 PM

Well, that is just a simple script for me to use. No one else can use it. I have not begun the script which users may use to upload videos yet. That will however, be the basis. Unfortuniatly, I have just begun to use MySQL and am not very familiar with it, so if you could possibly help me out with how to validate each one of the fields in my script, that would be very appreciated and would help me out a lot. Thanks.

#11 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 10:51 PM

For validation of the ip you can use the following. The regex for this is from http://regular-expre...o/examples.html

if (preg_match('#^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$#', $ip))
{
    print 'valid';
}
else
{
    print 'invalid';
}
To only validate the other fields the basic method you'll want to use is decide what fields should have known values and which fields do not. You'll need to check the fields that should have one of a number of values against a list.

If a field should only contain specific characters use preg_match or ctype functions to validate it.

Limit anything that can be limited. If the description shouldn't be more than 200 characters long, then see that it's not.

Although these don't fall into validation, these are also basic things you should do.

1) On output use for instance htmlentities to turn special html characters to their html equivalents.

2) Use mysql_real_escape_string to escape everything being inserted into the database.


#12 kenwvs

kenwvs
  • Members
  • PipPipPip
  • Advanced Member
  • 194 posts

Posted 07 September 2006 - 11:07 PM

Sorry to intrude here.

What do you mean by escape everything being inserted into the database, and why do we do this?

#13 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 08 September 2006 - 12:57 AM

http://phpsec.org/pr...uide/3.html#3.2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users