duanhuoyao7011 2018-05-22 12:55
浏览 78
已采纳

关于[HTTP_X_FORWARDED_FOR]的安全问题,我应该使用它而不是[REMOTE_ADDR]吗?

I'm trying to create a php counter, and in order not to count repeated visits from the same visitor, I've been thinking about saving the visitor's IP address into the database, and I should turn to $_SERVER

I've read this sample funtion by @Dusza that seems nice and convenient:

<?php
function get_IP() {

// ADDRESS IP
   if     (getenv('HTTP_CLIENT_IP'))       $ipaddress = getenv('HTTP_CLIENT_IP');
   else if(getenv('HTTP_X_FORWARDED_FOR')) $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
   else if(getenv('HTTP_X_FORWARDED'))     $ipaddress = getenv('HTTP_X_FORWARDED');
   else if(getenv('HTTP_FORWARDED_FOR'))   $ipaddress = getenv('HTTP_FORWARDED_FOR');
   else if(getenv('HTTP_FORWARDED'))       $ipaddress = getenv('HTTP_FORWARDED');
   else if(getenv('REMOTE_ADDR'))          $ipaddress = getenv('REMOTE_ADDR');
   else                                    $ipaddress = 'UNKNOWN';
//return $ipaddress;
    }
?>

But I've done some research here, and found that there's a security hole in that because the user can spoof all values except REMOTE_ADDR, which can be modified by a proxy.

So I guess that when they say that there's a security hole, it means that I should sanitize the user's input when I insert it into the database doing some bindings.

Is there any other precaution?

Given that all other values are unreliable I should avoid using them altogether?

But what about the un-spoffing value of REMOTE_ADDR? That can be modified by a proxy.

Any suggestions on what path should I take?

If you want to downvote, or vote the question to be closed or deleted, please leave me a comment about why, so I can improve my questions. Thanks.

  • 写回答

1条回答 默认 最新

  • dragoninasia2014 2018-05-22 13:03
    关注

    REMOTE_ADDR is the IP address established through a 3-way TCP/IP handshake. It is the IP the response will be sent back to. It is the only thing that your server has verified. Everything else is just arbitrary HTTP headers anyone could set.

    Now, if you know that your server is running behind a proxy (e.g. a load balancer) which would mask the visitor's IP address (your server would only see the proxy's IP), but you know that the proxy is helpfully forwarding you the visitor's IP in an HTTP header (as workaround for this situation so your server can still see the visitor's IP), then and only then may you use one of these HTTP headers and only the one that you know your proxy is setting. If your server is not behind a proxy, use REMOTE_ADDR exclusively. Otherwise, consult your proxy's manual and implement according to the situation.

    network diagram

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?