Menu
Is it possible for a user to forge the result that is returned from $_SERVER['REMOTE_ADDR'] in PHP so they could in theory use SQL injection on a database?
This is a bit dumb, but I'm still new enough to PHP that I want to know if it can be done, whether or not I need to sanitize database input when the SELECT statement chooses from IP addresses returned from $_SERVER['REMOTE_ADDR']. So, if I wanted to use something like $query = "SELECT * FROM users WHERE IP='" . $_SERVER['REMOTE_ADDR'] . "'";, would there be any danger to my doing this?
Again, probably a "nooby" question, but I feel it must be asked.
Thanks
578
IPS Detects SQL Injection over HTTPS.
Can SQL Injection be traced? Most SQL Injection Vulnerabilities and attacks can be reliably and swiftly traced through a number of credible SQL Injection tools or some web vulnerability scanner. SQL Injection detection is not such a trying task, but most developers make errors.
An SQL injection attack consists of an insertion or injection of a SQL query via the input data from the client to the application. SQL commands are injected into data-plane input that affect the execution of predefined SQL commands.
It's a stretch, and unlikely, but I wouldn't go as far as to say it's impossible. So....
Use parameterized queries anyways.
Even if you never get attacked via the IP address field, you will still get the added benefit of faster queries through caching.
173
You can't rely on REMOTE_ADDR being true... it could be the wrong address due to anonymising proxies or some such trick. You can rely on it always being an IP address, so SQL injection by this path is impossible.
Way down at the bottom of the stack, that's been converted from the source address on the packets making the TCP connection to your server. That means a) it has to be an IP address and b) it has to route back to the client for the connection to happen at all.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
