Dave Hull wrote:
Maybe it's a good idea to also parse the dhcp leases to check that the
ip has been attributed by the dhcp server...
Finally you're going up the right tree. Chasing webserver errors from a
script executed by it is an exercise in futility.
Could you use the DHCPLEASEQUERY option for this?
http://www.ietf.org/internet-drafts/draft-ietf-dhc-leasequery-07.txt
I've been doing some PHP code audits in recent months and have been
amazed at the number of projects that blindly trust client input.
Client input and server platform input are two wildly different things.
The $_SERVER[REMOTE_ADDRESS] variable is taken from a connected socket
and simply inet_ntoa()'d to the environment. Since the packet got there,
we know the variable can't possibly contain anything but an IP-address
in standard dot notation (not that it matters if it doesn't, since it
will still be four bytes translated to an IP-address).
Simply by asking this question, you're ahead of the game. Always
assume the worst, that some determined hacker has created a custom
browser and has the ability to insert environment and cookie variables
of her own choosing.
Environment variables, no. Cookie variables, yes. If the user can insert
environment variables the game is lost. There is no chance for php to
fend that off, no matter if the coder is god herself.
No browser on earth can insert environment variables without first
compromising the server. If they could it would be so trivial to take
over a website that nobody would care to set one up, and writing your
own "browser" is trivial enough if it only has to send one request (or
even a series of requests from various spoofed addresses).
Don't trust any input from the user or their browser.
Exactly. But trust the input from the server. You don't have much choice
anyway, so it's a waste of time bothering about it.
/exon
