Accessed based off of IP...

StinkFinger

All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

Should I be checking HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR also ?

$ip = $_SERVER["REMOTE_ADDR"];
if (($ip == "x.x.x.x") or ($ip == "y.y.y.y"))
{
//secret stuff
}
else
{
echo "<META HTTP-EQUIV=\"refresh\" content=\"0; url=/index.php\">";
die();
}

or something like this:

function getipaddress()
{
$ip;
if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR")) $ip =
getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");
else $ip = "UNKNOWN";
return $ip;
}

$ip = getipaddress();
if(($ip == "x.x.x.x") or ($ip == "y.y.y.y"))
{
//secret stuff
} else {
echo "<META HTTP-EQUIV=\"refresh\" content=\"0; url=/index.php\">";
die();
}

Thanks.

Jul 17 '05 #1

Chung Leong

"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com...

All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

You can send TCP/IP packets with fake return addresses fairly easily. But to
take advantage of it in an attack against a web server is hard, I believe,
as the HTTP response would get routed to the real address.

Jul 17 '05 #2

Dan Tripp

Chung Leong wrote:

"StinkFinger" <st****@pinky.com> wrote in message
news:10*************@corp.supernews.com...

All,
There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

You can send TCP/IP packets with fake return addresses fairly easily. But to
take advantage of it in an attack against a web server is hard, I believe,
as the HTTP response would get routed to the real address.

Just kinda thinking out loud... by why not limit access to the directory
your scripts are in with .htaccess or IIS's authentication? That'd
probably be a bit more secure than relying upon the REMOTE_ADDR.

Regards,

- Dan
http://blog.dantripp.com

Jul 17 '05 #3

Chris Hope

Dan Tripp wrote:

There are certain scripts that I have that only I want to run, both from
home and sometimes work. If I add something like this (below) to the
scripts, will this keep out unauthorized use (if the scripts are found
somehow), or can the REMOTE_ADDR be easily spoofed ?

You can send TCP/IP packets with fake return addresses fairly easily. But
to take advantage of it in an attack against a web server is hard, I
believe, as the HTTP response would get routed to the real address.

Just kinda thinking out loud... by why not limit access to the directory
your scripts are in with .htaccess or IIS's authentication? That'd
probably be a bit more secure than relying upon the REMOTE_ADDR.

Not an answer to your solution, but a suggestion that instead of writing out
a meta tag refresh you might want to do this instead:

header("Location: /index.php");
exit;

Chris

--
Chris Hope
The Electric Toolbox Ltd
http://www.electrictoolbox.com/

Jul 17 '05 #4