4

I am getting the visitors ip with this method Request.UserHostAddress.ToString()

Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.

asp.net 4.0 , c# 4.0 , IIS 7.5

Furkan Gözükara
  • 22,964
  • 77
  • 205
  • 342

2 Answers2

4

No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.

I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.

Summary:

Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).

Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.

Eystein Bye
  • 5,016
  • 2
  • 20
  • 18
  • can you provide a link for "The IP is from the socket with the web server" please? I'm interested but can't seem to find anything. – Barry Kaye Mar 11 '13 at 16:30
  • 1
    The application protocol used by web servers is HTTP and it initiates a request by establishing a Transmission Control Protocol (TCP). You will see that TCP uses a three-way handshake to establish the connection between the client (browser) and the server. This could not be done with a spoofed IP address. Once the connection is made, the server knows the clients IP-address and that is where it will send the reply (html). http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment – Eystein Bye Mar 19 '13 at 20:37
  • Here is the list of info in the HTTP request, as you can see the IP is not in here. It is not needed since it is know from the TCP. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14 – Eystein Bye Mar 19 '13 at 21:29
1

The IP address itself can be spoofed, but extremely unlikely.

It cannot be used for SQL injection.

ChrisBint
  • 12,773
  • 6
  • 40
  • 62
  • yes i am using it directly like select or insert. that is why i am asking. how is that possible to be spoofed like "delete from ***" ? how is this possible = – Furkan Gözükara Nov 17 '11 at 16:40
  • In that case, you have nothing to worry about. – ChrisBint Nov 17 '11 at 16:42
  • ChrisBint you are saying it can be spoofed and changed then you are saying it can not be. Are you really experienced with this ? – Furkan Gözükara Nov 17 '11 at 16:43
  • A spoofed IP address will only ever be an IP address, so if you are using that value in your SQL then it is okay. It could never be set to 'DELETE ME' for example. – ChrisBint Nov 17 '11 at 16:45