0

I was wondering if variables with $ _SERVER should be treated as safe or whether they should be filtered before use. I am trying to detect if the connection comes from CloudFlare or not. On this basis, I choose the method of obtaining the customer's IP address. When the connection comes from CloudFlare $_SERVER["HTTP_CF_CONNECTING_IP"] should be present and its contents should be the IP of the client.

According to Which $_SERVER variables are safe? $_SERVER["HTTP_CF_CONNECTING_IP"] could be user controlled so IP obtained this way could be spoofed.
$ip = isset($_SERVER["HTTP_CF_CONNECTING_IP"])?$ _SERVER["HTTP_CF_CONNECTING_IP"]:$ _SERVER["REMOTE_ADDR"];

Is there any good solution to this problem?

mkaminski
  • 1
  • 2

1 Answers1

4

No data for $_SERVER is explicitly designed to be treated as SQL source code.

Some data in $_SERVER is directly copied from the HTTP request (i.e. is user input).

It should be treated as any other input from outside the system and appropriate escaping / filtering should be applied.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • And even *if* they were safe, escaping still should be done. Better be safe than sorry. – Marco Mar 26 '18 at 12:16