SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    May 2007
    Location
    West Coast
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Header Exploited - in Mail Script

    PHP Notice: Use of undefined constant HTTP_X_FORWARDED_FOR - assumed 'HTTP_X_FORWARDED_FOR'
    in /home/siteo/public_html/site.com/submit/message.php on line 158

    TECH SUPPORT said: Spammers can set the HTTP_X_FORWARDED_FOR header themselves to anything they want. So you need to change this coding so that spammers can't exploit it.
    Please let us know if you need further assistance.

    Code:
    
    ////////////////////////////
    // begin global functions //
    ////////////////////////////
    // get visitor IP
    	function getIP()
    	{
    		if(getenv(HTTP_X_FORWARDED_FOR))
    			$user_ip=getenv("HTTP_X_FORWARDED_FOR");
    		else
    			$user_ip=getenv("REMOTE_ADDR");
    		return $user_ip;
    	}
    Please help get this sorted out as I have about 4,000 emails spammed to me and who knows how many going out

  2. #2
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    733
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    I believe the proper way to get this information is to use $_SERVER['HTTP_X_FORWARDED_FOR'] and to make sure it IS SET and not empty. This at the very least would get rid of the undefined constant error.
    PHP Code:
    <?php
        
    function getIP()
        {
            if(isset(
    $_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARTDED_FOR'] != '')
                
    $user_ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
            else
                
    $user_ip=$_SERVER['REMOTE_ADDR'];
            return 
    $user_ip;
        }
    ?>

  3. #3
    SitePoint Addict
    Join Date
    May 2007
    Location
    West Coast
    Posts
    339
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. Somehow I will try this by swapping out the old with the better

  4. #4
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,633
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    First, why are you scanning this unless you know you are behind a reverse proxy? And if you know that you probably know the proxy's address, and then you can whitelist requests coming from there.

    That is if you can trust user given IP addresses and other http headers at all . . .

  5. #5
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,196
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    If a proxy is used then depending on the software they might send other variable names for the remote ip.

    This should cover all of the names allowed by the standards.
    PHP Code:
    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                
    $ref_ip $_SERVER['HTTP_X_FORWARDED_FOR'];
                }
            elseif (!empty(
    $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) {
                
    $ref_ip $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
                }
            elseif (!empty(
    $_SERVER['HTTP_CLIENT_IP'])) {
                
    $ref_ip $_SERVER['HTTP_CLIENT_IP'];
                }
            elseif (!empty(
    $_SERVER['HTTP_PROXY_USER'])) {
                
    $ref_ip $_SERVER['HTTP_PROXY_USER'];
                } 


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •