php 信任 $_SERVER['REMOTE_ADDR'] 安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4773969/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is it safe to trust $_SERVER['REMOTE_ADDR']?
提问by Silver Light
Is it safe to trust $_SERVER['REMOTE_ADDR']? Can it be substituted by changing the header of request or something like that?
信任安全$_SERVER['REMOTE_ADDR']吗?可以通过更改请求的标头或类似的东西来代替吗?
Is it safe to write something like that?
写这样的东西安全吗?
if ($_SERVER['REMOTE_ADDR'] == '222.222.222.222') { // my ip address
$grant_all_admin_rights = true;
}
回答by sagi
Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.
是的,它很安全。它是 TCP 连接的源 IP,不能通过更改 HTTP 标头来替代。
One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.
您可能需要担心的一种情况是,如果您在反向代理后面,在这种情况下 REMOTE_ADDR 将始终是代理服务器的 IP,并且用户 IP 将在 HTTP 标头中提供(例如X-Forwarded-For)。但是对于正常用例,读取 REMOTE_ADDR 就可以了。
回答by phihag
$_SERVER['REMOTE_ADDR']is the IP address the TCP connection came in on. While it is technically possible to bidirectionally spoof IP addresses on the Internet (by announcing foul routes via BGP), such attacks are likely to be spotted and not available to the typical attacker - basically, your attacker must have control over an ISP or carrier. There are no feasible unidirectional spoofing attacks against TCP (yet). Bidirectional IP spoofing is trivial on a LAN though.
$_SERVER['REMOTE_ADDR']是 TCP 连接进入的 IP 地址。虽然技术上可以双向欺骗 Internet 上的 IP 地址(通过 BGP 宣布错误路由),但此类攻击很可能会被发现并且典型攻击者无法使用 - 基本上,您的攻击者必须控制 ISP 或运营商。目前还没有针对 TCP 的可行的单向欺骗攻击。不过,双向 IP 欺骗在 LAN 上是微不足道的。
Also be aware that it may be not be an IPv4, but an IPv6 address. Your current check is fine in that regard, but if you would check that 1.2.3.4only occurs anywherewithin $_SERVER['REMOTE_ADDR'], an attacker could simply connect from 2001:1234:5678::1.2.3.4.
另请注意,它可能不是 IPv4,而是 IPv6 地址。您当前的检查在这方面没问题,但是如果您要检查1.2.3.4只发生在内的任何地方$_SERVER['REMOTE_ADDR'],攻击者可以简单地从 连接2001:1234:5678::1.2.3.4。
Summarily, for anything other than critical (banking/military/potential damage >50.000) applications, you can use the remote IP address if you can exclude attackers in your local network.
总而言之,对于除关键(银行/军事/潜在损害 > 50.000)应用程序以外的任何应用程序,如果您可以排除本地网络中的攻击者,则可以使用远程 IP 地址。
回答by Audio
As mentioned above, it's not absolutely safe. But it doesn't mean, that you shouldn't use it. Consider combine this with some other methods of authentication, for instance checking COOKIE values.
如上所述,它不是绝对安全的。但这并不意味着您不应该使用它。考虑将其与其他一些身份验证方法结合使用,例如检查 COOKIE 值。
