Yes, it&#39;s safe. It is the source IP of the TCP connection and can&#39;t be substituted by changing an HTTP header.

One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For)). But for the normal use case reading REMOTE_ADDR is fine.

`$_SERVER[&#39;REMOTE_ADDR&#39;]` is the IP address the TCP connection came in on. While it is technically possible to bidirectionally spoof IP addresses on the Internet (by announcing foul routes via BGP), such attacks are likely to be spotted and not available to the typical attacker - basically, your attacker must have control over an ISP or carrier. There are no feasible unidirectional spoofing attacks against TCP (yet). Bidirectional IP spoofing is trivial on a LAN though.

Also be aware that it may be not be an IPv4, but an IPv6 address. Your current check is fine in that regard, but if you would check that `1.2.3.4` only occurs *anywhere* within `$_SERVER[&#39;REMOTE_ADDR&#39;]`, an attacker could simply connect from `2001:1234:5678::1.2.3.4`.

Summarily, for anything other than critical (banking/military/potential damage &gt;50.000€) applications, you can use the remote IP address if you can exclude attackers in your local network.

As mentioned above, it&#39;s not absolutely safe. But it doesn&#39;t mean, that you shouldn&#39;t use it. Consider combine this with some other methods of authentication, for instance checking COOKIE values.

I have a form upload that works but I would like to pass model information for my database to save the file with a different name of course.

Here is my Razor view:

    @model CertispecWeb.Models.Container
        
    @{
      ViewBag.Title = &quot;AddDocuments&quot;;
    }
        
    &lt;h2&gt;AddDocuments&lt;/h2&gt;
      
    @Model.ContainerNo
     
    @using (Html.BeginForm(&quot;Uploadfile&quot;, &quot;Containers&quot;, FormMethod.Post, 
                new { enctype = &quot;multipart/form-data&quot; }))
    {
        &lt;input type=&#39;file&#39; name=&#39;file&#39; id=&#39;file&#39; /&gt;
        &lt;input type=&quot;submit&quot; value=&quot;submit&quot; /&gt;
    }

Here is my Controller:

    [HttpPost]
    public ActionResult Uploadfile(Container containers, HttpPostedFileBase file)
    {
         if (file.ContentLength &gt; 0)
         {
            var fileName = Path.GetFileName(file.FileName);
            var path = Path.Combine(Server.MapPath(&quot;~/App_Data/Uploads&quot;),
                           containers.ContainerNo);
            file.SaveAs(path);
         }
    
         return RedirectToAction(&quot;Index&quot;);
    }


The model information is not passed through to the controller. I have read that I might need to update the model, how would I do this ?



MVC 3 file upload and model binding

I am trying to give my div and textarea some padding. When I do this, it increases the size of the element, instead of shrinking the content area inside of it. Is there any way to achieve what I am trying to do?

Why does CSS padding increase size of element?

Is it safe to trust `$_SERVER[&#39;REMOTE_ADDR&#39;]`? Can it be substituted by changing the header of request or something like that?

Is it safe to write something like that?

    if ($_SERVER[&#39;REMOTE_ADDR&#39;] == &#39;222.222.222.222&#39;) { // my ip address
        $grant_all_admin_rights = true;
    }

Is it safe to trust $_SERVER[&#39;REMOTE_ADDR&#39;]?

Is it safe to trust <code>$_SERVER['REMOTE_ADDR']</code>? Can it be substituted by changing the header of request or something like that?
Is it safe to write something like that?
<pre><code class="hljs language-perl">if ($_SERVER['REMOTE_ADDR'] == '222.222.222.222') { // my ip address
 $grant_all_admin_rights = true;
}
</code></pre>

Today I was playing with PHP, and I discovered that the string values &quot;true&quot; and &quot;false&quot; are not correctly parsed to boolean in a condition, for example considering the following function:

    function isBoolean($value) {
       if ($value) {
          return true;
       } else {
          return false;
       }
    }

If I execute:

    isBoolean(&quot;true&quot;) // Returns true
    isBoolean(&quot;&quot;) // Returns false
    isBoolean(&quot;false&quot;) // Returns true, instead of false
    isBoolean(&quot;asd&quot;) // Returns true, instead of false

It only seems to work with &quot;1&quot; and &quot;0&quot; values:

    isBoolean(&quot;1&quot;) // Returns true
    isBoolean(&quot;0&quot;) // Returns false

Is there a native function in PHP to parse &quot;true&quot; and &quot;false&quot; strings into boolean?




Parsing a string into a boolean value in PHP

What does a `\` do in PHP?

For example, [CSRF4PHP](https://github.com/foxbunny/CSRF4PHP/blob/60d9172b7f0cd93346cac9065fb17182854ebf1c/CsrfToken.php#L80-L87) has `\FALSE`, `\session_id`, and `\Exception`:

    public function __construct($timeout=300, $acceptGet=\FALSE){
        $this-&gt;timeout = $timeout;
        if (\session_id()) {
            $this-&gt;acceptGet = (bool) $acceptGet;
        } else {
            throw new \Exception(&#39;Could not find session id&#39;, 1);
        }
    }

What does a \ (backslash) do in PHP (5.3+)?

My concept is - there are 10 pdf files in a website. User can select some pdf files and then select merge to create a single pdf file which contains the selected pages. How can i do this with php?

Merge PDF files with PHP

Every now and then I hear the advice &quot;Use bcrypt for storing passwords in PHP, bcrypt rules&quot;.

But what is `bcrypt`? PHP doesn&#39;t offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of [Blowfish][1] in different languages. Now Blowfish is also available in PHP via `mcrypt`, but how does that help with storing passwords? Blowfish is a general purpose cipher, it works two ways. If it could be encrypted, it can be decrypted. Passwords need a one-way hashing function.

What is the explanation?

  [1]: http://en.wikipedia.org/wiki/Blowfish_%28cipher%29


How do you use bcrypt for hashing passwords in PHP?

I&#39;ve seen numerous examples on how to take a CSV file and then create an associative array with the headers as the keys.

For example:

    Brand,Model,Part,Test
    Honda,Civic,123,244
    Honda,Civic,135,434
    Toyota,Supra,511,664

Where it would create an Array such as     `Array[$num][$key]` where `$key` would be Brand, Model, Part, Test.

So If I wanted to access the test value &quot;434&quot; I would have to loop every index in the array and then ignore any Brands that were not honda, and any models that were not Civic

---------

What I need to do is access the value most directly, instead of running through a for loop going through each $num index. I want to be able to access the value test &quot;434&quot; with:

`Array[&#39;Honda&#39;][&#39;Civic&#39;][&#39;135&#39;]`

or control a for statement with looping through every model Honda has... something like

`foreach $model in Array[&#39;Honda&#39;]`

At the very least I need to be able to go through every model given a known Brand and access all the relative info for each.

Edit:

Just to confirm I was setting this up an example. My actually data has headers like:


`brand	model	part price	shipping	description	footnote`

Of which I need to access all the information tied to the part (price, shipping,desc, footnote)


CSV to Associative Array

I&#39;m writing a shell script that should be somewhat secure, i.e., does not pass secure data through parameters of commands and preferably does not use temporary files. How can I pass a variable to the standard input of a command?

Or, if it&#39;s not possible, how can I correctly use temporary files for such a task?


How can pass the value of a variable to the standard input of a command?

I have to implement secure [RESTful web services][1]. I already did some research using Google but I&#39;m stuck.

Options:

TLS (HTTPS) +

 - HTTP Basic (pc1oad1etter)
 - HTTP Digest 
 - [two-legged][2] [OAuth][3]
 - [a Cookie-based approach][4]
 - client certificates (Tom Ritter and [here][5])
 - Signed requests using [HMAC][6] and [a limited lifetime][7]

Are there more possible options to consider? If OAuth then what version? Does it even matter? From what I&#39;ve read so far [OAuth 2.0][8] with bearer tokens (that is without signatures) seems to be [insecure][9].

I&#39;ve found another very interesting article on [REST based authentication][10].

[Secure Your REST API... The Right Way][11]


  [1]: https://www.ibm.com/developerworks/webservices/library/ws-restful/
  [2]: https://stackoverflow.com/questions/4239846/2-legged-oauth-and-rest
  [3]: https://github.com/Mashape/mashape-oauth/blob/master/FLOWS.md
  [4]: https://stackoverflow.com/questions/319530/restful-authentication
  [5]: https://stackoverflow.com/questions/1522368/solutions-to-web-service-client-certificates-auth-best-practices
  [6]: http://en.wikipedia.org/wiki/HMAC
  [7]: http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
  [8]: http://tools.ietf.org/pdf/draft-ietf-oauth-v2-12.pdf
  [9]: http://hueniverse.com/2010/09/oauth-bearer-tokens-are-a-terrible-idea/
  [10]: http://www.berenddeboer.net/rest/authentication.html
  [11]: https://www.stormpath.com/blog/secure-your-rest-api-right-way

How to secure RESTful web services?

I am writing a `JACC` provider.

Along the way, this means implementing a [`PolicyConfiguration`](http://download.oracle.com/javaee/6/api/javax/security/jacc/PolicyConfiguration.html).

The `PolicyConfiguration` is responsible for accepting configuration information from the application server, such as which permissions accrue to which roles.  This is so that a [`Policy`](http://download.oracle.com/javase/6/docs/api/java/security/Policy.html) later on can make authorization decisions when handed [information about the current user](http://download.oracle.com/javase/6/docs/api/java/security/ProtectionDomain.html) and what he&#39;s trying to do.

However, it is not part of the `PolicyConfiguration`&#39;s (atrocious) contract to maintain a mapping between roles and their permissions, and `Principals` that are assigned to those roles.

Typically--always, really--an application server houses this mapping.  For example, on Glassfish, you affect this mapping by supplying things like `sun-web.xml` and `sun-ejb-jar.xml` and so on with your Java EE modules.  (These vendor-specific files are responsible for saying, e.g., `superusers` is a group that is to be assigned the application role of `admins`.)

I would like to reuse the functionality these files supply, and I would like to do so for as wide an array of application servers as possible.

Here is--totally arbitrarily--IBM&#39;s take on the matter, which appears to confirm my suspicion that what [I want to do is essentially impossible][1]. (More ammunition for my case that this particular Java EE contract is not worth the paper it&#39;s printed on.)

**My question:** how do I get at this principal-to-role-mapping information in--for starters--Glassfish and JBoss from within a `PolicyConfiguration`?  If there&#39;s a standard way to do it that I&#39;m unaware of, I&#39;m all ears.


  [1]: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/csec_jaccextensions.html

How can a JACC provider use the Principal-to-role mapping facilities of the server it&#39;s deployed on?

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?

For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

Are secret URLs truly secure?

What exactly is going on in the background that makes it so [SQLParameter][1] prevents SQL Inection attacks in a .NET Parameterized query?  Is it just stripping out any suspect characters or is there something more to it?

Has anyone out there checked to see what actually gets to SQL Server when you pass malicious input?

Related: https://stackoverflow.com/questions/4892027/can-you-use-a-sqlparameter-in-the-sql-from-statement/4892060#4892060

  [1]: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx

How does SQLParameter prevent SQL Injection?

&gt; **Possible Duplicate:**  
&gt; [How to store an IP in mySQL](https://stackoverflow.com/questions/1108918/how-to-store-an-ip-in-mysql)  

&lt;!-- End of automatically inserted text --&gt;

I want to get the IP address from `$_SERVER[&#39;REMOTE_ADDR&#39;]` and some other `$_SERVER` variables, which datatype is the right one for this?

Is it `VARCHAR(n)`?

Which MySQL datatype to use for an IP address?

I&#39;ve been trying to get an efficient regex for IPv4 validation, but without much luck. It seemed at one point I had had it with `(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?(\.|$)){4}`, but it produces some strange results:


    $ grep --version
    grep (GNU grep) 2.7
    $ grep -E &#39;\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?(\.|$)){4}\b&#39; &lt;&lt;&lt; 192.168.1.1
    192.168.1.1
    $ grep -E &#39;\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?(\.|$)){4}\b&#39; &lt;&lt;&lt; 192.168.1.255
    192.168.1.255
    $ grep -E &#39;\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?(\.|$)){4}\b&#39; &lt;&lt;&lt; 192.168.255.255
    $ grep -E &#39;\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?(\.|$)){4}\b&#39; &lt;&lt;&lt; 192.168.1.2555
    192.168.1.2555

I did a search to see if this had already been asked and answered, but other answers appear to simply show how to determine 4 groups of 1-3 numbers, or do not work for me.



Validating IPv4 addresses with regexp

how can I convert a string ipAddress (struct in_addr) and vice versa?
and how do I turn in unsigned long ipAddress?
thanks

How to convert string to IP address and vice versa

i have a little problem with my script, where i need to convert ip in form &#39;xxx.xxx.xxx.xxx&#39; to integer representation and go back from this form.

    def iptoint(ip):
    	return int(socket.inet_aton(ip).encode(&#39;hex&#39;),16)
	
    def inttoip(ip):
    	return socket.inet_ntoa(hex(ip)[2:].decode(&#39;hex&#39;))
    
    
    In [65]: inttoip(iptoint(&#39;192.168.1.1&#39;))
    Out[65]: &#39;192.168.1.1&#39;
    
    In [66]: inttoip(iptoint(&#39;4.1.75.131&#39;))
    ---------------------------------------------------------------------------
    error                                     Traceback (most recent call last)
    
    /home/thc/&lt;ipython console&gt; in &lt;module&gt;()
    
    /home/thc/&lt;ipython console&gt; in inttoip(ip)
    
    error: packed IP wrong length for inet_ntoa`

Anybody knows how to fix that?

Conversion from IP string to integer, and backward in Python

I want to validate an IPv4 address using Java. It should be written using the [dot-decimal notation][1], so it should have 3 dots (&quot;`.`&quot;), no characters, numbers in between the dots, and numbers should be in a valid range. How should it be done?


  [1]: http://en.wikipedia.org/wiki/Dotted_decimal

Content Type	Original Author	Original Content on Stackoverflow
Question	Silver Light	View Question on Stackoverflow
Solution 1 - Php	sagi	View Answer on Stackoverflow
Solution 2 - Php	phihag	View Answer on Stackoverflow
Solution 3 - Php	Audio	View Answer on Stackoverflow

Is it safe to trust $_SERVER['REMOTE_ADDR']?

Php Problem Overview

Php Solutions

Solution 1 - Php

Solution 2 - Php

Solution 3 - Php

Why does CSS padding increase size of element?

MVC 3 file upload and model binding

Attributions