Jump to content

Store IP address


eRott

Recommended Posts

I am wondering how to detect and store a users IP address in a MySQL database. Of course, the user would know this, however, I am looking to store their IP addresses as a security procedure. I want to have their IP address stored so if they were to ever do anything which goes against our TOS, I could take the appropriate action. I mainly want to know how because I am working on a form which would allow users to automatically upload videos to my website, however, if they were to upload something inappropriate, then I would be able to permanently IP ban them. Thanks.
Link to comment
Share on other sites

Great! Thank you both. However, how would I actually add that to the database. Would I use something like:

[code]
$ip = $_POST['$ip_adrs'];

$ip_adrs = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');
[/code]
Link to comment
Share on other sites

yes kinda.


$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (name, ip) VALUES ('$video_name', '$ip')";
mysql_query($query) or die('Error, insert query failed');


id just use that. but dont forget to actually connect to your DB ( mysql_connect() ) before trying to insert something..
Link to comment
Share on other sites

Note that HTTP_X_FORWARDED_FOR can be manipulated by the user and should at the very least be validated as a validly formatted address. As I've mentioned recently in another thread, I don't know if it's possible to modify the REMOTE_ADDR var but it should also be validated.

In addition to HuggyBears comment and as onlyican rightly points out, the user may be accessing the page through a proxy. Whether it be the ISP's or their own. If it's the ISP's proxy and they don't provide a X_FORWARED_FOR header you could end up banning an ISP's entire user base.

Just keep in mind that Ip Banning has drawbacks. I haven't gone into the topic that much so perhaps a search may reveal more information on the topic that would be helpful.

EDIT: The main reason for the validation comment isn't a response to TEENFRONT's post (I don't expect validation code in all responses). I mention it because it's not obvious that it should be treated as user input rather than server generated information.
Link to comment
Share on other sites

Cool. thank you! Yes, I know ;D. How's this:

[code]
<? include("../header.php");?>

<?
if(isset($_POST['add']))
{
include 'lib/config.php';
include 'lib/opendb.php';

$video_name = $_POST['video_name'];
$video_src = $_POST['video_src'];
$video_author = $_POST['video_author'];
$video_description = $_POST['video_description'];
$video_type = $_POST['video_type'];
$ip_adrs = $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO ..... (video_name, video_src, video_author, video_description, video_type, ip_adrs) VALUES ('$video_name', '$video_src', '$video_author', '$video_description', '$video_type', '$ip_adrs')";
mysql_query($query) or die('Error, insert query failed');

include 'lib/closedb.php';
echo "New video added";
}
else
{
?>
<form method="post">
<table width="400" border="0" cellspacing="1" cellpadding="2">
<tr>
<td width="100">Video Name</td>
<td><input name="video_name" type="text" id="video_name"></td>
</tr>
<tr>
<td width="100">Video Source</td>
<td><input name="video_src" type="text" id="video_src"></td>
</tr>
<tr>
<td width="100">Video Author</td>
<td><input name="video_author" type="text" id="video_author"></td>
</tr>
<tr>
<td width="100">Video Description</td>
<td><input name="video_description" type="text" id="video_description"></td>
</tr>
<tr>
<td width="100">Video Type</td>
<td><input name="video_type" type="text" id="video_type"></td>
</tr>
<tr>
<td width="100">&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td width="100">&nbsp;</td>
<td><input name="add" type="submit" id="add" value="Add New Video"></td>
</tr>
</table>
</form>
<?
}
?>

<? include("../footer.php");?>
[/code]

@shoz

I understand that some people may be using proxy's, but it's really not all that important. I don't think I will ever really need to ban any IP's anyway. But you know, better safe then sorry. It's more just a precaution. But thanks. I will use the

[code]
$ip_adrs = $_SERVER['REMOTE_ADDR']
[/code]

Edit: how would I validate the IP address?
Link to comment
Share on other sites

If that's the script in its entirety then you should be validating all the user input. To understand some of the security issues involved you can look at this [url=http://phpsec.org/projects/guide/]security guide[/url] as a starting point.
Link to comment
Share on other sites

Well, that is just a simple script for me to use. No one else can use it. I have not begun the script which users may use to upload videos yet. That will however, be the basis. Unfortuniatly, I have just begun to use MySQL and am not very familiar with it, so if you could possibly help me out with how to validate each one of the fields in my script, that would be very appreciated and would help me out a lot. Thanks.
Link to comment
Share on other sites

For validation of the ip you can use the following. The regex for this is from http://regular-expressions.info/examples.html

[code]
if (preg_match('#^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$#', $ip))
{
    print 'valid';
}
else
{
    print 'invalid';
}
[/code]
To only validate the other fields the basic method you'll want to use is decide what fields should have known values and which fields do not. You'll need to check the fields that should have one of a number of values against a list.

If a field should only contain specific characters use [url=http://www.php.net/preg_match]preg_match[/url] or [url=http://www.php.net/ctype]ctype[/url] functions to validate it.

Limit anything that can be limited. If the description shouldn't be more than 200 characters long, then see that it's not.

Although these don't fall into validation, these are also basic things you should do.

1) On output use for instance [url=http://www.php.net/htmlentities]htmlentities[/url] to turn special html characters to their html equivalents.

2) Use [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string[/url] to escape everything being inserted into the database.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.