|
|
Posted by Markus on 02/06/07 08:38
Jerry Stuckle schrieb:
>> - Is a PHP session id always 32 characters long (if it is generated
>> normally with session_start() of course), or can it's format vary due
>> to PHP versions or configurations (I work in shared hosting
>> envirnoments)?
>
> Currently it's 32 characters long. That's not to say it can't change in
> future releases.
So as I use it only for temporary data, such as shopping cart orders or
administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);
>> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
>> of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or
>> other?
>
> Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
> useful manner. It comes directly from the ip header. It is also the ip
> address where the response would be sent. And while theoretically it
> could be forged, this requires hacking into the ip stack itself, not
> just a simple script or browser change - much more complicated than
> forging some of the other header values (like HTTP_REFERER). And it's
> really only useful for a DOS attack.
>
> But this can can be an IPV6 address if/when your hosting company goes
> that way.
To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...
Thanks a lot for your helpful info!
Markus
[Back to original message]
|