You are here: Re: [PHP] Re: Security Issues - Where to look? « PHP « IT news, forums, messages
Re: [PHP] Re: Security Issues - Where to look?

Posted by Gustavo Narea on 10/10/03 11:31

Thanks for the explanation, Richard.

I'll definitely take it into account.

So, let's distrust *everything*.

Best regards.

Richard Lynch wrote:
> On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote:
>
>> *Distrust everything coming from your users,
>> even their user agents*
>>
>> *If you make your scripts taking this into account,
>> they'll be pretty secure*
>>
>>
>>Actually, I believe that the one thing you can trust in, is their IP
>>addresses. Isn't it?
>
>
> No!
>
> IP is useless for identification or authentication of the general
> web-surfer:
> Users behind firwalls will all appear to be from one (1) IP
> AOL users change IPs faster than drummers change underwear
>
> But even in the more restricted case of an IP you "know" will never
> change (e.g.: intranet application), that IP can be spoofed, by a
> knowlegable person.
>
> And/or traffic to/from that IP can be targetted and examined.
>
> The user's IP address is a useless bit of fluff you should ignore at
> all times if you REALLY care about security.
>
> This is not to say it's not TOTALLY useless...
>
> You might, for example, allow developers from 192.168.*.* to surf to
> your http://php.net/phpinfo page on a development box. After all, if
> somebody has already broken through enough walls to surf to it, and
> mask their IP as 192.168.*.*, you probably already have MUCH bigger
> problems than them seeing phpinfo() output...
>
> It would be BETTER to require a password of some kind, but it's not
> totally wack to just use $_SERVER['REMOTE_ADDR'] for this.
>
> You can use IP for statistical analysis of visits/visitors and be
> reasonably certain that MOST of the IP addresses are "accurate" and
> "semi-static" for a crude visitor/traffic monitoring, but knowing that
> a certain percentage of error is inherent to that data -- more like an
> opinion poll than anything.
>

--
Best regards,

Gustavo Narea.
PHP Documentation - Spanish Translation Team.
Valencia, Venezuela.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация