dtq81142 2014-11-26 18:07
浏览 115
已采纳

PHP安全问题

I'm using multiple services to accept mobile payments for stuff like virtual currency.

Many companies will include an MD5 signature in the POST or GET callback which I can calculate to verify that the request is authentic and then reward the user with the purchased credits.

This method is very secure as it's nearly impossible to guess the signature.

Other companies will not provide a signature and just tell me to check if the call is from their server IP like the following code:

<?php 

  if(!in_array($_SERVER['REMOTE_ADDR'],array('xxx.xx.x.xx'))) {
     header('HTTP/1.0 403 Forbidden');
     die('Error: Unknown IP');
  }

?>

Is this IP check secure enough?? Isn't it now very easy to spoof an IP address and make a GET or a POST request using that IP?

  • 写回答

2条回答 默认 最新

  • douli0531 2014-11-26 20:20
    关注

    The other answers are incorrect. So I'll write my own.

    With the exception of exceedingly rare situations, REMOTE_ADDR is 100% trust worthy. It comes from the TCP connection to the server, so it's practically impossible to forge without actually compromising something on the network (like the router the IP belongs to) or without having your server misconfigured (severely, Apache doesn't even let you misconfigure it like that).

    So, there are two questions that I can see:

    Is it safe to trust REMOTE_ADDR

    Yes.

    If the REMOTE_ADDR variable in PHP indicates the request came from their server, then it came from their server.

    If you're using a remote proxy, then X-HTTP-FORWARDED-FOR is not to be trusted. That's where you can get into problems if you're not careful.

    Is MD5() of the request safer than REMOTE_ADDR verification

    NO!!!

    It's a lot easier to forge an MD5 signature than it is to forge an IP address (which requires you to breach specific network hardware). And if the attacker breaches the network hardware, the game is over anyway.

    What's The Best Solution?

    The best solution is three fold:

    1. Use HTTPS with Certificate Pinning

      On your app, store the public key of their server. Then force the peer verification to use that certificate. That means that an attacker would need to steal the certificate of the remote server to be able to connect.

    2. Verify IP Addresses

      Using REMOTE_ADDR

    3. Sign requests using HMAC+SHA2

      Use HMAC with SHA-256 or SHA-512.

    But yes, the IP check alone is quite secure.

    To go deeper, we'd need to go into what types of attacks you're defending from.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

  • PHP安全问题 php
    2014-11-26 18:07
    回答 2 已采纳 The other answers are incorrect. So I'll write my own. With the exception of exceedingly rare sit
  • web的easy php练习 php web安全
    2022-10-30 22:39
    回答 2 已采纳
  • 禁用PHP 5.6.36线程安全 apache php
    2018-05-21 23:28
    回答 1 已采纳 Apache 2.4.33 compiles using worker MPM by default which is multi threaded. When you compile PHP a
  • 网络安全-php安全知识点
    2020-10-09 17:26
    lady_killer9的博客 安全需要学的东西太多,你不可能把js学的和做前端的同学一样好、把php学的和做后端的一样好,把数据库学的和做数据库优化的同学一样好,把Apache学的和做服务器端的同学一样好,我们只能关注他们涉及的领域中不...
  • 学习网络安全需要学习PHP环境搭建吗? php 学习方法 网络安全
    2022-10-26 20:33
    回答 1 已采纳 网络安全的话,是不是很多都是C或者C++等等啊,php这种应用开发语言似乎用得不多吧。不知道你学习的网络安全包含哪些内容?
  • PHP中文件包含漏洞的利用 php web安全
    2022-09-29 09:29
    回答 2 已采纳 php://filter/read=convert.base64-encode/some/resource=flag.php
  • PHP的PREG正则匹配 php web安全 有问必答
    2023-03-07 20:59
    回答 2 已采纳 先匹配整个串,执行一次替换,然后.*又可以匹配空字符串,又替换了一次,所以就是okok。下面是js的替换过程 第二个问题可以参考下面的文章,说得比较详细https://blog.csdn.net/gi
  • PHP安全 [安全编码]
    2021-05-26 08:32
    carefree798的博客 总则: 绝对安全的系统是不存在的。最好的安全机制应该能在不防碍用户,并且不过多地增加开发难度的情况下做到能满足需求。...php //从用户目录中删除指定的文件 $username = $_POST['user_submitted_name']; $us.
  • PHP KCFinder会话安全选项 php
    2016-10-27 12:15
    回答 1 已采纳 KCFinder already has this feature built into it. In your login procedure, you should set a session
  • 在服务器上安全Php执行 apache php
    2019-01-20 13:39
    回答 2 已采纳 Hello Daina Hodges, You got a few options to secure this .php script. You can secure this scrip
  • PHP页面安全性损坏 php
    2016-02-06 09:12
    回答 1 已采纳 Assuming login_error_redirect() actually redirects, you will have to add exit to stop the script a
  • php为什么不安全
    2022-02-19 13:57
    zepcjsj0801的博客 最近遇到两位客户,说了一个让我有点怀疑人生的问题php安全 我做php十年,这个问题从我开始接触php就听说了,但是一直没当回事。 我的大学专业是.net,毕业后从事的工作就是开发,但是.net的开发以及调试、修改...
  • CTF webPHP这个不知道怎么传参 php 网络安全
    2022-07-16 10:44
    回答 1 已采纳 第三行用GET方法接受了一个参数,网址?whoami=参数比如http://111.111.111.111:8080/index.php?whoami=index.php多个参数用&连接,?whoam
  • web安全php基础_搭建php环境
    2023-07-03 23:41
    Qayrup的博客 然后网站好了,就可以新建项目,打开phpstorm,然后点击new project新建项目,然后再在刚刚打开的站点添加/phpinfo.php,看到如下页面,即我们的php环境搭建完成。然后在location栏里选择项目路径,就是刚刚我们创建...
  • PHP网站常见一些安全漏洞及防御方法
    2022-05-11 17:22
    知白守黑V的博客 一、常见PHP网站安全漏洞 对于PHP的漏洞,目前常见的漏洞有五种。分别是Session文件漏洞、SQL注入漏洞、脚本命令执行漏洞、全局变量漏洞和文件漏洞。这里分别对这些漏洞进行简要的介绍。 1、session文件漏洞 Session...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错
  • ¥15 单片机学习顺序问题!!
  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)
  • ¥15 相敏解调 matlab
  • ¥15 求lingo代码和思路
  • ¥15 公交车和无人机协同运输
  • ¥15 stm32代码移植没反应