From: Michael Shadle on
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham <tommyhp2(a)gmail.com> wrote:

> Then I presume that your firewall, servers, and application is test proven 'bulletproof'? :-P

a) no such thing
b) pretty damn solid, yes

and the reason? because i don't overcomplicate things.

"a simple stack is a happy stack"

:)
From: "Tommy Pham" on
> -----Original Message-----
> From: Michael Shadle [mailto:mike503(a)gmail.com]
> Sent: Wednesday, June 23, 2010 1:20 AM
> To: Tommy Pham
> Cc: php-general(a)lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham <tommyhp2(a)gmail.com>
> wrote:
>
> > Then I presume that your firewall, servers, and application is test proven
> 'bulletproof'? :-P
>
> a) no such thing
> b) pretty damn solid, yes
>
> and the reason? because i don't overcomplicate things.
>
> "a simple stack is a happy stack"
>
> :)

I agree that bulletproof is no such thing but in all my IT experiences through 2 decades, whatever I'm responsible for whether servers (hardware & software) and/or networks, they have never been compromised or taken down :) because I can track down the source of the problem and deal with it before it has a chance to escalate ;) It's all about finding that IP quickly and dealing with it even faster.

Regards,
Tommy

From: "Tommy Pham" on
> -----Original Message-----
> From: Michael Shadle [mailto:mike503(a)gmail.com]
> Sent: Wednesday, June 23, 2010 1:07 AM
> To: Tommy Pham
> Cc: php-general(a)lists.php.net
> Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
>
> On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham <tommyhp2(a)gmail.com>
> wrote:
>
> > If you're going to implement this, then it's better to implement the
> conversion in the backend DB (via SP or UDF). So you can always use MySQL
> query browser or the command line to run queries or other methods
> depending on your access to the DB, especially if you need to find that
> malicious IP address quickly ;)
>
> -1 for complicating mysql setups :)

Just an afterthought scenario:

You got a skilled hacker using multiple (compromised) systems or spoofing multiple IPs. This would naturally and easily bypass your firewall. The web server(s) are overloaded with the phony requests. What are you going to do to get the source of the problem and how are you going to analyze the problem?

Are you going to have some kind of reporting on your app, which is already being overloaded with w/ phony requests? Or are you going to access the DB directly to analyze the access logs and compare the incoming requests to analyze the IPs and/or requested URLs? Thus, I see 2 choices:

"-1 for complicating mysql setups"

(-1 for complicating the app+code - which is not very useful at this point) + face to palm for not being able to get IP address(es) quickly enough

.... tough call :)

From: "Tanel Tammik" on
"Michael Shadle" <mike503(a)gmail.com> wrote in message
news:AANLkTildd_GdnlfFPuWDX5acWWK45jbU4I6YBbmGJ6qj(a)mail.gmail.com...
> On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7705(a)gmail.com> wrote:
>> unlikely. it's a apache delivered ip address.. very little chance of
>> insert vulnerabilities, imho.
>
> still, the overhead for a db escape is better than your site being
> trashed.
>
> also, you could look at converting the IP to an INT(10) (at least for
> IPv4) and save
>
> ip in string - 123.456.789.123 - up to 15 bytes - varchar(15)
> ip in integer format - 4 bytes - int(10)
>
> I've done this on a variety of projects. Arjen even mentions it back in
> 2005:
>
> http://arjen-lentz.livejournal.com/44290.html
>
> It does make things a bit harder to read, and at one point I did get
> different results when calculating it in PHP vs. MySQL (I forget when
> and how, and haven't seen the issue again) but if you're looking for
> IP ranges it can come in handy too - integer math is much cleaner than
> IP address math :)

how do i convert it? with ip2long() or in sql with INET_ATON()?

Br Tanel


From: Ashley Sheridan on
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote:

> "Michael Shadle" <mike503(a)gmail.com> wrote in message
> news:AANLkTildd_GdnlfFPuWDX5acWWK45jbU4I6YBbmGJ6qj(a)mail.gmail.com...
> > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman <rene7705(a)gmail.com> wrote:
> >> unlikely. it's a apache delivered ip address.. very little chance of
> >> insert vulnerabilities, imho.
> >
> > still, the overhead for a db escape is better than your site being
> > trashed.
> >
> > also, you could look at converting the IP to an INT(10) (at least for
> > IPv4) and save
> >
> > ip in string - 123.456.789.123 - up to 15 bytes - varchar(15)
> > ip in integer format - 4 bytes - int(10)
> >
> > I've done this on a variety of projects. Arjen even mentions it back in
> > 2005:
> >
> > http://arjen-lentz.livejournal.com/44290.html
> >
> > It does make things a bit harder to read, and at one point I did get
> > different results when calculating it in PHP vs. MySQL (I forget when
> > and how, and haven't seen the issue again) but if you're looking for
> > IP ranges it can come in handy too - integer math is much cleaner than
> > IP address math :)
>
> how do i convert it? with ip2long() or in sql with INET_ATON()?
>
> Br Tanel
>
>
>

That's what I'd use. You may also have to wrap it inside an abs() call
to ensure it's a positive number, as some IP addresses equate to
negative with ip2long().

The benefit of converting it to a number I've found is that searching
can become much faster as it's easier to perform a simple number
comparison search to find if a given IP address is within a range than
perform more complex string queries to determine if an IP address is
within a range. You will, as well, benefit from a smaller table, as it
uses far less space to store a number than a string of up to 15
characters.

Also, if you're looking to use one of the ip2country type databases to
determine the rough geographical location of your visitors, they use the
IP number system.

Thanks,
Ash
http://www.ashleysheridan.co.uk