Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Jan 2007
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How reliable are $_SERVER variables?

    How reliable are $_SERVER variables?

    Specifically $_SERVER[HTTP_REFERER]?

    I have a web form that is being targeted by a spammer, I have their IP number through the $_SERVER[HTTP_REFERER] variable, (server log files are not available to me) and I need to know how reliable this data is. Can this be spoofed or forged in any way?

    When I get a hold of the apache log files can I consider them to be more reliable?

    Thanks

  • #2
    Regular Coder ralph l mayo's Avatar
    Join Date
    Nov 2005
    Posts
    951
    Thanks
    1
    Thanked 31 Times in 29 Posts

  • #3
    New Coder
    Join Date
    Jan 2007
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Ralph,

    I'm sorry, but I suffered a complete brain fart in writing my question. I intended to inquire about $_SERVER[REMOTE_ADDR].

    Since $_SERVER vars are written by the server can I assume that this will be the same as what is found in the server log?

    Thanks again.

  • #4
    Regular Coder ralph l mayo's Avatar
    Join Date
    Nov 2005
    Posts
    951
    Thanks
    1
    Thanked 31 Times in 29 Posts
    Quote Originally Posted by Arragon View Post
    Since $_SERVER vars are written by the server can I assume that this will be the same as what is found in the server log?
    AFAIK this is a safe assumption.

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,149
    Thanks
    2
    Thanked 333 Times in 325 Posts
    The REMOTE_ADDR is the IP address that made the request to your web server and where the response will be sent back to.

    About the only thing you can do with an IP address is log it and ban it.

    Because most of the people on the planet connect to the Internet with a dynamically assigned IP address, they would only need to reset/power off/on their DSL/Cable modem or disconnect/connect if using a dial up connection, in order to get a different IP address.

    Also, if they are going through a proxy, the IP address is that of the proxy. They only need to use a different proxy in order to get a different IP address. There are some port range tests you can do to help detect if they are using an anonymous proxy.

    What sort of problem are you having. The best way to deal with someone abusing your web site is to close any loop hole that is allowing them to abuse it or to remove the benefit they are receiving by abusing it, such as being able to send spam through a contact us form. Simply detecting and banning an IP address, besides not working, only will causes them to try harder to find a way to abuse your site.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #6
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    The REMOTE_ADDR is the IP address that made the request to your web server and where the response will be sent back to.

    About the only thing you can do with an IP address is log it and ban it.

    Because most of the people on the planet connect to the Internet with a dynamically assigned IP address, they would only need to reset/power off/on their DSL/Cable modem or disconnect/connect if using a dial up connection, in order to get a different IP address.

    Also, if they are going through a proxy, the IP address is that of the proxy. They only need to use a different proxy in order to get a different IP address. There are some port range tests you can do to help detect if they are using an anonymous proxy.

    What sort of problem are you having. The best way to deal with someone abusing your web site is to close any loop hole that is allowing them to abuse it or to remove the benefit they are receiving by abusing it, such as being able to send spam through a contact us form. Simply detecting and banning an IP address, besides not working, only will causes them to try harder to find a way to abuse your site.
    Yes $_SERVER['REMOTE_ADDR'] can be trusted. And while all of this post is true you can easily look at the IPs, tell if the user had been using a proxy(more often than not, no), and then ban their IP/Subnet/Hostname. Though it should be noted that hostnames aren't very reliable either. Depending on what you're banning this person from it might be easier to require registration with e-mail verification(and blocking free-email sites). Or just blocking the IP might be enough for you.

  • #7
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Most things that come from the outside can be spoofed in a way.

    Yes $_SERVER['REMOTE_ADDR'] can be trusted.
    I disagree. If someone is deliberately targeting a server, and requires to be banned then IP will do little. It's not hard to go through a different proxy.

    In general, for the average user blocking an IP address will work reasonably well. But if that person has intent, then it will do nothing.

    The same applies to registration. It takes little effort to register. Including requiring a mail account. There are sites out there that will generate a temporary email address at the click of a button.

    All of these methods provide a certain amount of protection. Some more than other. It all depends on how much protection you need. But the Internet is anonymous and you can't block someone 100%.

  • #8
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by aedrin View Post
    I disagree. If someone is deliberately targeting a server, and requires to be banned then IP will do little. It's not hard to go through a different proxy.
    As I said, you can lookup the IP to see if they are using a proxy and take appropriate action from there.
    Quote Originally Posted by aedrin View Post
    In general, for the average user blocking an IP address will work reasonably well. But if that person has intent, then it will do nothing.
    Right, that's exactly what I said.
    Quote Originally Posted by aedrin View Post
    The same applies to registration. It takes little effort to register. Including requiring a mail account. There are sites out there that will generate a temporary email address at the click of a button.
    Again, I said this. You can add more security if it's needed (ie. Captcha), but for the most part this is overkill.
    Quote Originally Posted by aedrin View Post
    All of these methods provide a certain amount of protection. Some more than other. It all depends on how much protection you need. But the Internet is anonymous and you can't block someone 100%.
    You can eventually, but it's not worth it and WILL inconvenience the rest of your users. And no, the internet is not anonymous.

  • #9
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    As I said, you can lookup the IP to see if they are using a proxy and take appropriate action from there.
    I'd like to know how you figure out if someone is using a proxy.

    I could use it in a lot of situations.

    Again, I said this. You can add more security if it's needed (ie. Captcha), but for the most part this is overkill.
    it might be easier to require registration with e-mail verification(and blocking free-email sites).
    Captcha and email verification are all easy to get around for any spammer that has intent.

    You can eventually
    That sounds quite hopeful.

  • #10
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by aedrin View Post
    I'd like to know how you figure out if someone is using a proxy.

    I could use it in a lot of situations.
    You can find lists of free proxies all over the internet; just search.
    Quote Originally Posted by aedrin View Post
    Captcha and email verification are all easy to get around for any spammer that has intent.
    I don't know what you're using for captcha but I've only seen one program that was able to come even close to matching captchas and it was sketchy at best. E-mail verification is not easy to get around either if you're blocking common free e-mail sites. If someone registers with another domain and causes problems you can block that domain easily. Then what? They'll run out of options quickly.
    Quote Originally Posted by aedrin View Post
    That sounds quite hopeful.
    Yes, but most people will lose interest long before you have to take these extreme measures.

    Anyway this is getting off-topic and is starting to hijack the OP's thread so if you want to discuss it further PM me.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •