Should I check imput for bad chars in this case?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi all,

this is more question than real problem (I hope :)). I include this
script into my pages to log IPs of visitors (they are saved info txt
file and send to e-mail later):

function getIPadress()
{
    if (isset($_SERVER["HTTP_CLIENT_IP"]))
    {
        return $_SERVER["HTTP_CLIENT_IP"];
    }
    elseif (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
    {
        return $_SERVER["HTTP_X_FORWARDED_FOR"];
    }
    elseif (isset($_SERVER["HTTP_X_FORWARDED"]))
    {
        return $_SERVER["HTTP_X_FORWARDED"];
    }
    elseif (isset($_SERVER["HTTP_FORWARDED_FOR"]))
    {
        return $_SERVER["HTTP_FORWARDED_FOR"];
    }
    elseif (isset($_SERVER["HTTP_FORWARDED"]))
    {
        return $_SERVER["HTTP_FORWARDED"];
    }
    else
    {
        return $_SERVER["REMOTE_ADDR"];
    }
}

// save log to txt
$fh = fopen($fileWithLog, 'a+') or die("Oups " . $fileWithLog ." !");
$IPAdress = getIPadress();
fwrite($fh, date('j.n.Y G:i:s') . $IPAdress . " (" .
gethostbyaddr($IPAdress) . ")\n");
fclose($fh);

...can this be some possible security risk (XSS or so..), becose I
does not check chars in IP adress and host name mainly. It is probably
crazy, but on the other side I think it isn't imposibble to use some
bad strings in host name.

Would you recommend use "$IPAdress = htmlspecialchars(getIPadress());"
or something like? Or is it nonsense?

Thx and excuse me, if this question is too stupid :(. Br, Mir R.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [Find Someone]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux