vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Depend on IP to view restricted page? (https://vborg.vbsupport.ru/showthread.php?t=202726)

m002.p 01-22-2009 04:07 PM
Depend on IP to view restricted page?
 
Hi

Anyone know whether or how secure depending on a viewers IP is to then either get access to a restricted page or not?

I have a MYSQL table with up to date member IP's where in a php file I use this code to either enable access or deny it.

PHP Code:
// Declare IP Variable
$ip $_SERVER['REMOTE_ADDR'];

// MYSQL Permission Check

$usercheck mysql_fetch_array(mysql_query("SELECT * FROM members WHERE ip='".$ip."' AND now()-session < 1800 AND (rank='9' || rank = '10' || rank='11')"));

if (empty($usercheck))
{
header("Location: denied.php");
}

if (!empty($usercheck))
{
mysql_query("UPDATE distags SET session=NOW() WHERE ip='".$ip."'");
So how secure is the above code? I have a few pages running it which I want restricted and all works well.

However, from a secure PHP point of view, is it possible for someone to fake the users ip, find it out, or just gain access to the restricted page without fufilling the requirement?

Thanks for any constructive advice.

Matt

Dismounted 01-23-2009 03:09 AM
Would it be possible to gain access without actually being the user? Yes. One possibility is someone getting assigned the same IP fairly quickly. Most ISPs issue dynamic IPs. Another possibility is that even when the user has logged out, the computer would still have access to the page.

Is there something stopping you from doing a proper session check?

m002.p 01-23-2009 04:54 PM
As I thought sadly.

I would do the normal session check however unfortunetly I do not know or cannot find a secure way of doing it.

Could you advise please?

Thanks Dismounted.

Dismounted 01-24-2009 02:45 AM
As long as the two sites are on the same server, you can include global.php, this will do all the checking for you.

blayke 01-24-2009 05:00 AM
It is not hard to spoof an IP address and all it takes to find out someone's IP is social engineering or a file transfer over aim or msn.

m002.p 01-24-2009 09:37 AM
I agree blayke, but for my requirements it would be easier said then done :)


All times are GMT. The time now is 12:47 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01168 seconds
  • Memory Usage 1,721KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete