| Re: Beginner's trouble with substr [message #179464 is a reply to message #179460] |
Tue, 30 October 2012 05:30   |
C
Messages: 24
Registered: January 2012
Karma:
|
Junior Member |
|
|
On 30 loka, 01:17, Denis McMahon <denismfmcma...@gmail.com> wrote:
> On Mon, 29 Oct 2012 10:40:31 -0700, C wrote:
>> On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
>>> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com>
>>> wrote:
>
>>>> What am I doing wrong in this? The substr part does not seem to get
>>>> processed properly.
>
>>>> <?php
>
>>>> global $host;
>>>> $host=@gethostbyaddr($REMOTE_ADDR);
>>>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>>>> {$realhost =
>>>> @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>>>> $referer = $HTTP_REFERER;
>
> /** NEED TO CHECK $host and $referer HERE **/
>
>>>> if (substr($host, -3) == ".xy") {exit;} //
>>>> if (substr($host, 6) == "abcd29") {exit;} //
>>>> if (substr($referer, -4) == ".xyz") {exit;} //
>
>>>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
>>>> ?>
>
>>> The first thing I see wrong is that the variable "$found" is not
>>> declared.
>
>>> What are you trying to achieve?
>> I took that code out which defines $found. The code is trying to avoid
>> some nasty visitors.
>
> Readhttp://php.net/manual/en/function.substr.php
>
> I think this line:
>
> if (substr($host, 6) == "abcd29") {exit;} //
>
> perhaps should be this:
>
> if (substr($host, 0, 6) == "abcd29") {exit;} //
>
> unless you actually want to match on 12 character long strings ending
> with "abcd29"
>
> substr( string, -n ) // reads the characters from -n to end of string
> substr( string, n ) // reads the characters from n to end of string
>
> If you want the first n characters, you want substr( string, 0, n )
Yes, this is clear to me now. Thanks.
>
> Also, why do you use: $REMOTE_ADDR, $HTTP_SERVER_VARS
> ["HTTP_X_FORWARDED_FOR"] and $HTTP_REFERER instead of $_SERVER
> ['REMOTE_HOST'], $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER
> ['HTTP_REFERER']
What is the difference?
>
> In addition, relying on HTTP_X_FORWARDED_FOR and HTTP_REFERER is
> unreliable, as these fields can be spoofed anyway!
I can use $_SERVER[***], but why are they more reliable?
>
> Are you relying on register_globals? Are register_globals enabled (they
> won't be if you have competent server admins)?
I have no idea. I am only recording some of these variables in a file.
I am not "relying" on them to do anything serious with them in the
code.
>
> Have you made *any* tests (at the point I marked the quoted code with "/
> ** NEED TO CHECK $host and $referer HERE **/") to check that the string
> $host or $referrer you're checking is actually what you think it is?
Yes, they seem to be working all right. The referer is often fake and
I am intending to use that also to keep out undesirable people. They
seem to fake it in certain ways.
>
> How do you know the gethostbyaddr($REMOTE_ADDR) and gethostbyaddr
> ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]) calls are not failing (which
> would indicate you were incorrectly assuming register_globals)? You have
> the calls set to fail silently, which means that they could be delivering
> the binary value FALSE and you don't even know it.
That is correct. Sometimes I get only the IP numeric address, and
sometimes the hostname.
>
> Also see my other comments about using the web server to do this without
> letting the "nasty visitors" near the php!
Yes. Thanks for all this.
>
> Rgds
>
> Denis McMahon
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]