Plug small security hole

[X51]

I have a web site that sells products. I have just added a table (mysql) that keeps track of searches. So when a user comes to the site from a search engine the search term(s) they used to find my site are stored along with their IP as an identifier and the landing page populates with products accordingly. Also when a user uses the local search feature it updates to add the new search term(s) to the table. The page displays the search box with whatever the last search term(s) were so at a later time all someone has to do is click search to repeat it.

 

OK, so far so good. Then I got on my iphone to test it out and when the page loaded the search terms used on my laptop were there. Duh... same IP from the network. So this is my security hole that I am trying to plug. My site doesn't set any cookies and I was trying to keep it that way, but I am thinking I may have to stray from that in order to do this. I don't suppose there is a way in php to get a users mac address is there?

 

I was hoping that someone could offer me some tidbits of wisdom to guide me in these dark times 

[JAY6390]

Not possible to get a mac address. You'll need to use cookies and/or a session variable

[X51]

Well I have a fix that uses a cookie and everything seems to be working great... except one thing. I am setting the cookie which contains a random string. I needed to log the cookie contents into the db as soon as the cookie was set so I did a refresh after setting it. Now when a visitor is using the site normally all is well and good. Only one line is added to the db table, but when someone enters the site from a search engine two lines are added. One with the search info and a blank cookie value, and one with all the info including the cookie value. I'm at a loss to figure out why. Any suggestions?

 

<?php if(!isset($_COOKIE['search'])) {
function genRandomString() {
    $length = 30;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters))];
    }

    return $string;
}
$random = genRandomString();
$number_of_days = 90 ;
$date_of_expiry = time() + 60 * 60 * 24 * $number_of_days ;
setcookie( "search", $random, $date_of_expiry ); ?>
<script>javascript:history.go(0)</script>
<?php
} else {
$search = $_COOKIE['search'];
} 
$ipaddress = $_SERVER['REMOTE_ADDR'];
$time = time()-3600;
$now_is = date("Y-m-d", $time);

if(isset($SearchTerm) && $SearchTerm <> "") {
$word = $SearchTerm;

	mysql_select_db($database_products, $products);
	$query_ip = "SELECT id, cookie FROM search WHERE cookie = '$search' ORDER BY id DESC LIMIT 1";
	$ip_sel = mysql_query($query_ip, $products) or die(mysql_error());
	$ip = mysql_fetch_assoc($ip_sel);

if(isset($ip['cookie']) && ($ip['cookie'] <> "")) {
$result = mysql_query("UPDATE search SET terms = '$word', date = '$now_is' WHERE cookie = '$search'") or die(mysql_error());
} else {
mysql_select_db($database_products, $products);
$result = mysql_query ("INSERT INTO search VALUES (
    '{0}',
'{$ipaddress}',
'{$word}',
'{$now_is}',
'{$search}')");
} ?>

[X51]

I figured it out. There was no need to do the refresh since I didn't need to read the cookie value. The $random variable held the same value so I added it to the db record instead.

 

It was a two for one because now it validates with 3wc again since I dropped the Javascript.

[Andy-H]

Use the get_browser function to log the platform?

 

$browser  = get_browser(null, true);
$platform = $browser['platform'];

//log in mysql

[Andy-H]

Oh, and FYI, no you can't get a users MAC address in ANY programming language over the WWW, it's not included in the HTTP headers sent to the server. It's only possible on a LAN I believe, correct me if I'm wrong??