1

I can get the global ip of a client like below, but is it safety?

<?php
echo $_SERVER[‘REMOTE_ADDR’];

I saw some article that we have to sanitize $_GET, $_POST or $_COOKIE, but how do I treat about $_SERVER?

masudak
  • 161
  • 1
  • 6
  • Disclaimer: I don't know PHP. It looks like `$_SERVER` only contains items generated by the server, so, other than headers (which are generated by the client), I wouldn't _think_ you'd need to sanitize it or anything. – Piper McCorkle Jan 15 '16 at 02:28
  • Yes it's safe, and you can see [this question](http://stackoverflow.com/questions/8187714/is-serverremote-addr-always-isset) about if `$_SERVER['REMOTE_ADDR']` will always be `isset()` – joaumg Jan 15 '16 at 02:30
  • Maybe take a loot at this thread, http://stackoverflow.com/questions/5092563/how-to-fake-serverremote-addr-variable. – chris85 Jan 15 '16 at 02:33
  • @ZebMcCorkle `$_SERVER['HTTP_USER_AGENT']` could very, very easily contain unsafe data. IIRC Apache will handle any unknown request method as `GET`, so `$_SERVER['REQUEST_METHOD']` could contain unsafe data. – ceejayoz Jan 15 '16 at 02:43
  • Thank you for kind answer! Some items like $_SERVER['HTTP_USER_AGENT'] don't contains unsafe data, but some contains, don't it? Therefore we can't fake $_SERVER['REMOTE_ADDR'], then I understood that we don't need to sanitize that value. – masudak Jan 15 '16 at 04:23
  • @masudak The user agent is an arbitrary string sent by the client, so yes, it can contain whatever. – msanford Jan 15 '16 at 15:19
  • 1
    @msanford yes, I got it. I'll have to take care of it with security. – masudak Jan 16 '16 at 09:55

1 Answers1

2

$_GET, $_POST and $_COOKIE come from user input, so they should be treated with caution.

While $_SERVER is generated by PHP interpreter, it also contains lots of user-provided data, such as argv, QUERY_STRING, PHP_SELF, all headers (called HTTP_header_name) and so on. Treat those as unsafe user input as well.

Never assume that it will only be a browser making a request to your server: attackers can craft special requests very easily.

msanford
  • 11,803
  • 11
  • 66
  • 93
  • so you mean that we should have to sanitize or do something against $_SERVER['REMOTE_ADDR'] even if it is user input data for security? – masudak Jan 15 '16 at 04:25