Skip to content


容易被忽略的HTTP_X_FORWARDED_FOR攻击

  1. function getIP() {
  2. if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  3. $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
  4. } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
  5. $realip = $_SERVER['HTTP_CLIENT_IP'];
  6. } else {
  7. $realip = $_SERVER['REMOTE_ADDR'];
  8. }
  9. return $realip;
  10. }

这个是网上常见获取ip函数

其中x-forword-fox的值是可以被自定义改写的.

在firefox下通过Moify Headers插件或者用php的fsockopen()函数等方法来改写.

如果你需要将IP写入数据库并打开的错误输出,那么将HTTP_X_FORWARDED_FOR的值改成192.168.0.1′ or 1= 是可能会产生sql注射.

同样$_SERVER[“HTTP_USER_AGENT”],$_SERVER[“HTTP_ACCEPT_LANGUAGE”],$_SERVER[‘HTTP_REFERER’] 等http变量入库时也需做过滤

改进的获取ip函数

  1. if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
  2. $OnlineIP = getenv('HTTP_CLIENT_IP');
  3. } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
  4. $OnlineIP = getenv('HTTP_X_FORWARDED_FOR');
  5. } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
  6. $OnlineIP = getenv('REMOTE_ADDR');
  7. } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
  8. $OnlineIP = $_SERVER['REMOTE_ADDR'];
  9. }
  10. preg_match("/[\d\.]{7,15}/", $OnlineIP, $match);
  11. $OnlineIP = $match[0] ? $match[0] : 'unknown';
  12. unset($match);

参考:

http://www.jb51.net/article/37690.htm

http://zhangxugg-163-com.iteye.com/blog/1663687

Posted in PHP, 安全.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.