保护IP检查php
[英]Securing IP check php
问题描述
I have 
我有
$result = mysqli_query($mysqli,"SELECT * FROM ".MYSQLBTCTABLE." WHERE ip = '" . $_SERVER['REMOTE_ADDR'] . "' AND date = '".date("Y-m-d")."' AND time = '".date("D")."'") or die(mysqli_error());
How can I secure the $_SERVER['REMOTE_ADDR'] so it checks not only the user ip/proxy but also the socks ip so they can't abuse my code by changing IP? 如何保护$_SERVER['REMOTE_ADDR']以便它不仅检查用户ip / proxy而且还检查socks ip,这样他们就不会通过更改IP来滥用我的代码?
also I found this code: 我也找到了这段代码:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Will it work so if I put WHERE ip = '".($ip)."' ? 它会工作,如果我把WHERE ip = '".($ip)."' ?
1 个解决方案
解决方案1
2 2013-11-25 14:18:41
You can not do that in common case 在常见情况下你不能这样做
- You can't be sure if user is using proxy: it can be anonymous proxy 您无法确定用户是否正在使用代理:它可以是匿名代理
- You can't be sure if he is using computer device 您无法确定他是否使用计算机设备
- You can't be sure that he is human: it may be request via
cURLor similar stuff你无法确定他是否是人类:可能是通过cURL或类似的东西请求
So that's the reality of the Internet. 这就是互联网的现实。 You can not rely on any information that came from client side. 您不能依赖来自客户端的任何信息。 If you're suspecting that user changed his IP address - then hide critical part behind authentication . 如果您怀疑用户更改了他的IP地址 - 那么隐藏身份验证背后的关键部分。 Thus, you'll be able to identify user by his login in your web-application. 因此,您将能够通过Web应用程序中的登录识别用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.