www.webdeveloper.com
+ Reply to Thread
Results 1 to 4 of 4
  1. 05-21-2012 09:50 PM #1
    supercain
    supercain is offline Registered User
    Join Date
    Jul 2006
    Posts
    367

    Retrieve IP and referrer in forms

    Hi,

    i have a form and in order to validate the information sent i need to verify each sender's IP address and referrer. The simplest thing to do is something like this:

    PHP Code:
    //First define the ip address variable
    $ipaddress $_SERVER['REMOTE_ADDR']; 
    and then at the end of the form:

    PHP Code:
    <input type="hidden" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>" />
    However, this is not very useful because anybody with fair computer knowledge can modify the source code of the form (by using Firefox addon Webdeveloper bar for example) and put there an arbitrary value so i would like to get the IP and store it in a place where the user cant see it, not even by looking at the source so it cant be modified. The same for the referrer.

    I tried with session @session_start(); and it worked well at the beginning, or thats what i thought but seems like its not getting the referrer as it should. Could you please give me a hint?

    Thank you.
    Reply With Quote Reply With Quote
  2. 05-21-2012 10:35 PM #2
    rtrethewey
    rtrethewey is offline Registered User
    Join Date
    Mar 2011
    Posts
    792
    I'd suggest that you have the PHP script that generates the form encode the user's IP address in such a way that it's not easily identifiable as an IP address and also use a name attribute that doesn't indicate the data is an IP address. Then the script that processes the form submission could decode the data and verify it with the referer's IP address.

    The encoding doesn't need to be terribly complex. As long as it's purpose isn't immediately apparent, you should discourage a large percentage of hackers who would rather spend their time finding other more vulnerable scripts than attempting to defeat your code.
    Rick Trethewey
    Rainbo Design
    Reply With Quote Reply With Quote
  3. 05-21-2012 11:24 PM #3
    supercain
    supercain is offline Registered User
    Join Date
    Jul 2006
    Posts
    367
    Thanks. But if the IP, although encrypted is still in the source it can be modified anyway and that defeats the whole purpose. I need to store those values internally so the user wont know about them.
    Reply With Quote Reply With Quote
  4. 05-22-2012 09:33 AM #4
    rtrethewey
    rtrethewey is offline Registered User
    Join Date
    Mar 2011
    Posts
    792
    You haven't really made your purpose clear. But even if a user could modify the data and submit it to your script, even a simple encoding scheme would likely be too much trouble for them to figure out how to format the data properly in order to get your script to accept it.

    As you suggested, you could store this encoded data in a $_SESSION variable instead of in a 'hidden' <input> tag. A hacker could generate his own session cookie and spoof the data, but he would face the same problem of having to figure out your encoding scheme. Good luck!
    Rick Trethewey
    Rainbo Design
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules

 HTML5 Development Center



Recent Articles