[thelist] Worried...please help
Ken Schaefer
ken at adOpenStatic.com
Tue Jun 17 22:48:49 CDT 2003
Um,
Steve's code won't actually do anything to prevent the problem, since
Request.ServerVariables("Local_Addr") will always be the IP address that the
website is bound to.
Pete's point, as far as I can tell, is incorrect. The
Request.ServerVariables("Local_Addr") is populated internally on the
webserver, and doesn't rely on information posted by the browser. I'm not
sure how there's a trivial to "spoof" this.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Koutoulas, Pete" <PKOUTOUL at Fayette.k12.ky.us>
Subject: RE: [thelist] Worried...please help
: On Tuesday, June 17, 2003 10:17 AM, Steve Cook wrote:
:
: > You could check that the information being submitted to your
: > application only comes from forms located on your server. Depending
: > upon which scripting language you're using on the server there are
: > different ways of doing this, but in ASP for instance you would do
: > something like the following:
: >
: > if Request.ServerVariables("LOCAL_ADDR") <> strYourIPNumber then
: > 'Return with an error
: > end if
:
: I wouldn't depend on that -- too easy to spoof.
:
: [ pete ]
More information about the thelist
mailing list