IP address SQL injection

ip-address sql-injection
Cyclone picture Cyclone · Jan 7, 2010 · Viewed 7.8k times · Source

Is it possible for a user to forge the result that is returned from $_SERVER['REMOTE_ADDR'] in PHP so they could in theory use SQL injection on a database?

This is a bit dumb, but I'm still new enough to PHP that I want to know if it can be done, whether or not I need to sanitize database input when the SELECT statement chooses from IP addresses returned from $_SERVER['REMOTE_ADDR']. So, if I wanted to use something like $query = "SELECT * FROM users WHERE IP='" . $_SERVER['REMOTE_ADDR'] . "'";, would there be any danger to my doing this?

Again, probably a "nooby" question, but I feel it must be asked.

Thanks

Answer

Neil N picture Neil N · Jan 7, 2010

It's a stretch, and unlikely, but I wouldn't go as far as to say it's impossible. So....

Use parameterized queries anyways.

Even if you never get attacked via the IP address field, you will still get the added benefit of faster queries through caching.

Related questions

How to get the client IP address in PHP

How can I get the client IP address using PHP? I want to keep record of the user who logged into my website through his/her IP address.

Read More
How to get client's IP address using JavaScript?

I need to somehow retrieve the client's IP address using JavaScript; no server side code, not even SSI. However, I'm not against using a free 3rd party script/service.

Read More
Get the client IP address using PHP

I want to get the client IP address who uses my website. I am using the PHP $_SERVER superglobal: $_SERVER['REMOTE_ADDR']; But I see it can not give the correct IP address using this. I get my IP address …

Read More