www.webdeveloper.com
Results 1 to 4 of 4

Thread: Retrieve IP and referrer in forms

  1. #1
    Join Date
    Jul 2006
    Posts
    373

    Retrieve IP and referrer in forms

    Hi,

    i have a form and in order to validate the information sent i need to verify each sender's IP address and referrer. The simplest thing to do is something like this:

    PHP Code:
    //First define the ip address variable
    $ipaddress $_SERVER['REMOTE_ADDR']; 
    and then at the end of the form:

    PHP Code:
    <input type="hidden" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>" />
    However, this is not very useful because anybody with fair computer knowledge can modify the source code of the form (by using Firefox addon Webdeveloper bar for example) and put there an arbitrary value so i would like to get the IP and store it in a place where the user cant see it, not even by looking at the source so it cant be modified. The same for the referrer.

    I tried with session @session_start(); and it worked well at the beginning, or thats what i thought but seems like its not getting the referrer as it should. Could you please give me a hint?

    Thank you.

  2. #2
    Join Date
    Mar 2011
    Posts
    1,108
    I'd suggest that you have the PHP script that generates the form encode the user's IP address in such a way that it's not easily identifiable as an IP address and also use a name attribute that doesn't indicate the data is an IP address. Then the script that processes the form submission could decode the data and verify it with the referer's IP address.

    The encoding doesn't need to be terribly complex. As long as it's purpose isn't immediately apparent, you should discourage a large percentage of hackers who would rather spend their time finding other more vulnerable scripts than attempting to defeat your code.
    Rick Trethewey
    Rainbo Design

  3. #3
    Join Date
    Jul 2006
    Posts
    373
    Thanks. But if the IP, although encrypted is still in the source it can be modified anyway and that defeats the whole purpose. I need to store those values internally so the user wont know about them.

  4. #4
    Join Date
    Mar 2011
    Posts
    1,108
    You haven't really made your purpose clear. But even if a user could modify the data and submit it to your script, even a simple encoding scheme would likely be too much trouble for them to figure out how to format the data properly in order to get your script to accept it.

    As you suggested, you could store this encoded data in a $_SESSION variable instead of in a 'hidden' <input> tag. A hacker could generate his own session cookie and spoof the data, but he would face the same problem of having to figure out your encoding scheme. Good luck!
    Rick Trethewey
    Rainbo Design

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles