1

This is the superglobal in PHP for a clients hostname:

$_SERVER['REMOTE_HOST']

It usually looks something like:

ecIP-AD-DRE-SS.us-west-1.compute.amazonaws.com
IP-AD-DRE-SS.bb.dnainternet.fi
IP-AD-DRE-SS.dynamic.lounea.fi

Can someone change their hostname so that it would contain something capable of SQL injection? Also, is SQL injection prevented if you only remove the singe quote ' from user inputs?

  • 2
    Since you should do the above (parameterized prepared statements), it wouldn't matter if a hostname could contain SQL. Simply never ever trust data you're not 100% in control over. Even then you should be careful (since you can accidentally enter the bad characters that might break your query). – M. Eriksson Jan 18 '19 at 21:42
  • I think the only to change _SERVER values is to manipulate php binaries or config. So if the server is trustable there is not problem. Of course someone can manipulate the reverse DNS name resolution, but that level of manipulation deserves the prize of the injection (rofl). – Walker Leite Jan 18 '19 at 21:45
  • 3
    @WalkerLeite - The `$_SERVER`-array contains a lot of values that comes from the client so even if your server is trusted, it doesn't mean that all those values can be. – M. Eriksson Jan 18 '19 at 21:46

1 Answers1

7

Can someone change their hostname so that it would contain something capable of SQL injection?

Interesting question. Maybe? But it doesn't matter, because...

Also, is SQL injection prevented if you only remove the singe quote ' from user inputs?

Absolutely not. Forget about dealing with quotes and use prepared statements with bound parameters.

Edit: Also note that you generally don't want your web server doing DNS lookups for every hit, so $_SERVER['REMOTE_HOST'] should normally be unset. If you need to occasionally do lookups for authentication or logging, you can do it ad hoc in PHP.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
  • 1
    There's no guarantee that a hostname doesn't contain hostile content, even SQL injections. Some DNS resolvers don't care what they include in their results. They just pass it through. – tadman Jan 18 '19 at 21:53