How to identify user in PHP?
I have such a big problem, and i've been thinking about it for 2 days. I wrote a small class about catching unregistered (guest) users who can try SQL injection attack throught the URL and after 2 experiments their IP is blocked in my DB (so in array i store some signs),
$blockSigns = array ("'", "/", "\", ":", "//", "and so on");
but:
- IP is not good solution (PHP cannot see LAN IP_s if server is under proxy), and even it can I cannot block it. I cannot block 192.168.1.10 :)
- I don't need WAN IP because, i cannot block site for a company because of one n00b.
- PHP cannot catch Mac address (mac isnot included in header)
- I want to block users that are guests also, so i don't know their usernames or mail or something
if (isset($_SESSION["user"])) { $user = $_SESSION["user"]; } else { $user = "unknown"; }
I read that perl has some API called NET::MAC,
http://metacpan.org/pod/Net::MAC
I decided to find user mac address by perl and integrate开发者_运维问答 it in PHP. Is it possible? if is, please how? I cannot understand. if not:
how can I fix that problem? how can i identify user, if he/she isnot registered? is there any chance? please share your experience if you already had that kind of problem. thanks in advance...
It is impossible to get the MAC address of a user. The only mac address your server sees is that of the router it is connected to. And if you blocked this, you'd block all traffic coming to your server.
So as @Jon said, if your application is secure you shouldn't have to care about people trying to inject things.
Your way to detect SQL injection is horribly by the way. Especially '
and :
but also the other characters are perfectly valid in most contexts. For example, a user's real name might include '
. However, you do not need to add such detection code at all - if you escape all untrusted input properly or you use prepared statements for your queries (better) your application is not vulnerable to SQL injection at all.
you could try to use the ip together with the user agent string and some more information like plugins. But if some tries it with his companies browser, the ip and the user agent should be the same.
so the only solution is:
Make your page safe, so that there is no chance for a SQL injection
Probably there is no ultimate solution. If you know the IP's of registered users you can allow only them to access your pages ( .htacces on Apache server). You can also try to set cookie after user is being registered and then you will be able to check if that specified cookie is present ( I will be possible only when user is using only one browser on the same computer, so you could also set it on every log in). Sessions always end when user closes a browser.
精彩评论