By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,304 Members | 1,987 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,304 IT Pros & Developers. It's quick & easy.

Accessed based off of IP...

P: n/a
All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

Should I be checking HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR also ?

$ip = $_SERVER["REMOTE_ADDR"];
if (($ip == "x.x.x.x") or ($ip == "y.y.y.y"))
{
//secret stuff
}
else
{
echo "<META HTTP-EQUIV=\"refresh\" content=\"0; url=/index.php\">";
die();
}

or something like this:

function getipaddress()
{
$ip;
if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR")) $ip =
getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");
else $ip = "UNKNOWN";
return $ip;
}

$ip = getipaddress();
if(($ip == "x.x.x.x") or ($ip == "y.y.y.y"))
{
//secret stuff
} else {
echo "<META HTTP-EQUIV=\"refresh\" content=\"0; url=/index.php\">";
die();
}

Thanks.
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com...
All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?


You can send TCP/IP packets with fake return addresses fairly easily. But to
take advantage of it in an attack against a web server is hard, I believe,
as the HTTP response would get routed to the real address.
Jul 17 '05 #2

P: n/a
Chung Leong wrote:
"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com...
All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

You can send TCP/IP packets with fake return addresses fairly easily. But to
take advantage of it in an attack against a web server is hard, I believe,
as the HTTP response would get routed to the real address.


Just kinda thinking out loud... by why not limit access to the directory
your scripts are in with .htaccess or IIS's authentication? That'd
probably be a bit more secure than relying upon the REMOTE_ADDR.

Regards,

- Dan
http://blog.dantripp.com
Jul 17 '05 #3

P: n/a
Dan Tripp wrote:
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

You can send TCP/IP packets with fake return addresses fairly easily. But
to take advantage of it in an attack against a web server is hard, I
believe, as the HTTP response would get routed to the real address.


Just kinda thinking out loud... by why not limit access to the directory
your scripts are in with .htaccess or IIS's authentication? That'd
probably be a bit more secure than relying upon the REMOTE_ADDR.


Not an answer to your solution, but a suggestion that instead of writing out
a meta tag refresh you might want to do this instead:

header("Location: /index.php");
exit;

Chris

--
Chris Hope
The Electric Toolbox Ltd
http://www.electrictoolbox.com/
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.