|
|
Posted by "Richard Lynch" on 10/21/17 11:31
On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote:
> *Distrust everything coming from your users,
> even their user agents*
>
> *If you make your scripts taking this into account,
> they'll be pretty secure*
>
>
> Actually, I believe that the one thing you can trust in, is their IP
> addresses. Isn't it?
No!
IP is useless for identification or authentication of the general
web-surfer:
Users behind firwalls will all appear to be from one (1) IP
AOL users change IPs faster than drummers change underwear
But even in the more restricted case of an IP you "know" will never
change (e.g.: intranet application), that IP can be spoofed, by a
knowlegable person.
And/or traffic to/from that IP can be targetted and examined.
The user's IP address is a useless bit of fluff you should ignore at
all times if you REALLY care about security.
This is not to say it's not TOTALLY useless...
You might, for example, allow developers from 192.168.*.* to surf to
your http://php.net/phpinfo page on a development box. After all, if
somebody has already broken through enough walls to surf to it, and
mask their IP as 192.168.*.*, you probably already have MUCH bigger
problems than them seeing phpinfo() output...
It would be BETTER to require a password of some kind, but it's not
totally wack to just use $_SERVER['REMOTE_ADDR'] for this.
You can use IP for statistical analysis of visits/visitors and be
reasonably certain that MOST of the IP addresses are "accurate" and
"semi-static" for a crude visitor/traffic monitoring, but knowing that
a certain percentage of error is inherent to that data -- more like an
opinion poll than anything.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|