Jump to content
MakeWebGames

Free login page

grant

By grant
in Free Modifications

 Share

Recommended Posts

Paddy Newbie

Paddy

Posted
Posted

It seems you are using the "HTTP_X_FORWARDED_FOR" in your game

So remove all this

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Change it to this

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Also in header,authenticate, globals

;)

Link to comment
Share on other sites
Dominion Newbie

Dominion

Posted
Posted
Wrong paddy.

There is no need to mysql_real_escape_string on IP

Does not hurt in fact it could be better (i use it...). There are firefox addons (not that i have one of them :rolleyes: ) that allow you to change what your ip is shown as. for something like mccodes Where everyone knows table name etc it can do some damage, however mres on a number is for the most part pointless on anything else. Just my thought on it.

Edit - I am not saying mres is the best way there are things like http://www.w3schools.com/PHP/filter_validate_ip.asp , however it's not "wrong" in this case.

Link to comment
Share on other sites
Dominion Newbie

Dominion

Posted
Posted
You cannot spoof the $_SERVER['REMOTE_ADDR'] variable..

I think you missed my point...

There are firefox addons that change how your ip looks and IF something ever worked you would be well out of luck >.<

At the end of the day mres does not hurt it so it's not "wrong" as you put it. It is an extra check does not effect a number but if it every was anything bad it's there. btw check google i have no idea how it's done, however "$_SERVER['REMOTE_ADDR']" has been spoofed a fair few times by the more professional hackers. That would be why everything is checked over and over and over again. :)

Link to comment
Share on other sites
Jordan Palmer Newbie

Jordan Palmer

Posted
Posted

I highly doubt there are addons to spoof the $_SERVER['REMOTE_ADDR'] variable.

MRES Doesnt hurt however it does show mean you would have to then use stripslashes on output everywhere.

If your going to add "extra security" do it right..

if(filter_var($ip, FILTER_VALIDATE_IP)) {

// it's valid

}

else {

// it's not valid

}

However if your using this make sure you have PHP5+

Link to comment
Share on other sites
Dominion Newbie

Dominion

Posted
Posted
I highly doubt there are addons to spoof the $_SERVER['REMOTE_ADDR'] variable.

again you missed my point. i am not saying the firefox addons can i am saying when they can, however i am also saying it has been done tho i don't think they would use firefox addons...

 

MRES Doesnt hurt however it does show mean you would have to then use stripslashes on output everywhere.

Why is that? I thought it was for double escapes only and well thats just silly O_o

 

If your going to add "extra security" do it right..

if(filter_var($ip, FILTER_VALIDATE_IP)) {

// it's valid

}

else {

// it's not valid

}

However if your using this make sure you have PHP5+

I did post a link in one of my posts to the w3 page for that :P I also said "it's not the best way,however it's not "wrong" as you put it" I use afew checks on the $ip just like everything else always good to check it. One thing to note about it tho is it has had bugs in the past so should not be used on it's own in my opinion. I am not 100% sure if the bugs have been fixed. http://bugs.php.net/50830

Link to comment
Share on other sites
Equinox Newbie

Equinox

Posted
Posted

So, Jordan suggests that applying mres to the $ip var would mean that you need to strip slashes on the output?

Wrong.

mysql_real_escape_string() will not hurt your IP variable, if it leads you to believe that your game is more secure then use it, it will not effect anything.

And if there are ways to alter your IP then surely we need to do more than just mysql_real_escape_string() ? REMOTE_ADDR can not be altered, and that is the $IP variable.

If you want to do it properly, as said by Palmer : "If your going to add "extra security" do it right.." (don't think that comment was thought through in this situation)

Look into INET_NTOA() and INET_ATON().

Don't worry so much about this.

Link to comment
Share on other sites
Dominion Newbie

Dominion

Posted
Posted
The arguement is more or less invalid as this is a Login page so the IP variable isn't even used and erego doesnt even need to be in the script for the most part.

 

Authenticate.php is what handles the IP that, or Register

For this post yes and if they wish me to spilt the topic i will, however learning is never a bad thing. If someone is doing it wrong we would like to know who O-o

Link to comment
Share on other sites
Djkanna Rookie

Djkanna

Posted
Posted
So, Jordan suggests that applying mres to the $ip var would mean that you need to strip slashes on the output?

Wrong.

mysql_real_escape_string() will not hurt your IP variable, if it leads you to believe that your game is more secure then use it, it will not effect anything.

And if there are ways to alter your IP then surely we need to do more than just mysql_real_escape_string() ? REMOTE_ADDR can not be altered, and that is the $IP variable.

If you want to do it properly, as said by Palmer : "If your going to add "extra security" do it right.." (don't think that comment was thought through in this situation)

Look into INET_NTOA() and INET_ATON().

Don't worry so much about this.

The only reason you should escape it is the fact that people have been known to redeclare the IP variable before hand to something that's not what you expect, IE

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

INET_* are actually used for storing/retrieving IP address so yes that's the better option.

@Palmer:

You have no understanding of mysql_real_escape_string() if you still believe that it inserts the slash into the database. ;)

So down to it all, either use INET functions or just insert as is or maybe even use mres it won't matter either way but if your going to do it at least do it right.

Link to comment
Share on other sites
Djkanna Rookie

Djkanna

Posted
Posted
I don't believe anything, I was just told to never use it on the IP variable as youd need to strip it down on the output, I always used the mentioned way, so never tested.

Well that would apply itself to anything entered into the db with mres, which then they (whoever they is) would say you need to stripslashes on output which just isn't true but people don't seem to understand this (not you) -.-

Link to comment
Share on other sites
  • 2 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...