我想统计我网页上的唯一访问者。我使用以下功能获取客户端的IP:
$ipaddress = '';
if ($_SERVER['HTTP_CLIENT_IP'])
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
else if($_SERVER['HTTP_X_FORWARDED_FOR'])
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
else if($_SERVER['HTTP_X_FORWARDED'])
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
else if($_SERVER['HTTP_FORWARDED_FOR'])
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
else if($_SERVER['HTTP_FORWARDED'])
$ipaddress = $_SERVER['HTTP_FORWARDED'];
else if($_SERVER['REMOTE_ADDR'])
$ipaddress = $_SERVER['REMOTE_ADDR'];
else
$ipaddress = 'UNKNOWN';
return $ipaddress;
在将它插入数据库之前,我应该调用它的htmlspecialchars()
函数吗?我听说有可能操作标头并更改IP地址以添加XSS或SQL注入(我已经调用了real_escape_string()
函数)攻击。
考虑到您期望的数据类型是IP,您应该简单地验证特定的数据类型将以下内容添加到您的代码中
if(filter_var($ipaddress, FILTER_VALIDATE_IP)) return $ipaddress;
else return "Unknown";
这基本上验证了它是一个实际的IP,因此没有SQL注入攻击向量甚至XSS可以通过它