[thelist] Worried...please help

Ken Schaefer ken at adOpenStatic.com
Tue Jun 17 22:48:49 CDT 2003


Steve's code won't actually do anything to prevent the problem, since
Request.ServerVariables("Local_Addr") will always be the IP address that the
website is bound to.

Pete's point, as far as I can tell, is incorrect. The
Request.ServerVariables("Local_Addr") is populated internally on the
webserver, and doesn't rely on information posted by the browser. I'm not
sure how there's a trivial to "spoof" this.


From: "Koutoulas, Pete" <PKOUTOUL at Fayette.k12.ky.us>
Subject: RE: [thelist] Worried...please help

: On Tuesday, June 17, 2003 10:17 AM, Steve Cook wrote:
: > You could check that the information being submitted to your
: > application only comes from forms located on your server. Depending
: > upon which scripting language you're using on the server there are
: > different ways of doing this, but in ASP for instance you would do
: > something like the following:
: >
: > if Request.ServerVariables("LOCAL_ADDR") <> strYourIPNumber then
: > 'Return with an error
: > end if
: I wouldn't depend on that -- too easy to spoof.
:     [ pete ]

More information about the thelist mailing list