Can $_SERVER['REMOTE_ADDR'] be forged to an arbitrary string?

I have read multiple times that getting an IP from a client using $_SERVER['REMOTE_ADDR'] is safe, because it CAN'T be modified by user directly (only by using proxies etc) but it always returns an IP. Until today I've received an error email from my site that mysql error occured on query which checks if an IP is banned. Raw query looks something like this: SELECT * FROM `bans` WHERE `ip`='{$ip}' and getting an ip is done using $ip = $_SERVER['REMOTE_ADDR'] I didn't do any sanitizing on $ip because I assume it can't be modified by user... And I got an email that this query failed: SELECT * FROM `bans` WHERE `ip`='1'"+order+by+1--+,' (note: I've put instead of attackers actual IP) My email script also takes an IP using $_SERVER['REMOTE_ADDR'] so I got that "fake" IP in there too: IP: 1'"+order+by+1--+, Its easy to sanitize when you know it can be modified, but I want to know how is that possible ?
Did you check the related questions?

以上就是Can $_SERVER['REMOTE_ADDR'] be forged to an arbitrary string?的详细内容,更多请关注web前端其它相关文章!

赞(0) 打赏
未经允许不得转载:web前端首页 » JavaScript 答疑

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

前端开发相关广告投放 更专业 更精准