Bertrand Mansion [2007-03-05 09:52 UTC] I think you should make it a PHP5 package and use class constants instead of defines and exceptions instead of pear errors. Or make your defines more standard, using a longer prefix to avoid collisions.
I am also afraid $_SERVER['REMOTE_ADDR'] is not reliable, especially if users are behind a router/proxy (they will share the same IP and they might be quickly locked out on big traffic or big corporate sites where users all connect at the same hour in the morning...).
As stated in this security report, it is also possible to spoof the IP adress given by $_SERVER['HTTP_X_FORWARDED_FOR'], so beware :
http://osvdb.org/displayvuln.php?osvdb_id=23882
There is also this comment, but I doubt it is more useful:
http://fr2.php.net/manual/en/reserved.variables.php#70640
This one might need more investigation:
http://fr3.php.net/manual/en/function.getenv.php#41833
It would be interesting to know what the various books on PHP security propose for such a problem.
Vagharshak Tozalakyan [2007-03-05 15:31 UTC] >> I think you should make it a PHP5 package and use class constants instead of defines and exceptions instead of pear errors. Or make your defines more standard, using a longer prefix to avoid collisions.
Sure, among other things it will allow to use different object-oriented features (e.g. abstract classes for storage drivers). The only reason because of which I have written a PHP4 compatible code is that many shared hosting servers do not support PHP5 till now. I'm a novice to PEAR development and would like to know what version of PHP is prefered to use for new packages?
Also I would like to know is there any recommendations on how to
construct name prefixes of defined constants?
>> I am also afraid $_SERVER['REMOTE_ADDR'] is not reliable, especially if users are behind a router/proxy (they will share the same IP and they might be quickly locked out on big traffic or big corporate sites where users all connect at the same hour in the morning...).
I agree with you on that issue, that's why I decided to allow the users to define a control criterion they will prefer as the second parameter of check() method. It may be a real IP address detected by one of the methods, an address of a subnet, a session identifier, a fingerprint calculated custom way, etc. What do you think , is it necessary to impose an IP detection method on the user?
Vagharshak Tozalakyan [2007-03-05 15:37 UTC] >> I think you should make it a PHP5 package and use class constants instead of defines and exceptions instead of pear errors. Or make your defines more standard, using a longer prefix to avoid collisions.
Sure, among other things it will allow to use different object-oriented features (e.g. abstract classes for storage drivers). The only reason because of which I have written a PHP4 compatible code is that many shared hosting servers do not support PHP5 till now. I'm a novice to PEAR development and would like to know what version of PHP is prefered to use for new packages?
Also I would like to know is there any recommendations on how to
construct name prefixes of defined constants?
>> I am also afraid $_SERVER['REMOTE_ADDR'] is not reliable, especially if users are behind a router/proxy (they will share the same IP and they might be quickly locked out on big traffic or big corporate sites where users all connect at the same hour in the morning...).
I agree with you on that issue, that's why I decided to allow the users to define a control criterion they will prefer as the second parameter of check() method. It may be a real IP address detected by one of the methods, an address of a subnet, a session identifier, a fingerprint calculated custom way, etc. What do you think , is it necessary to impose an IP detection method on the user?
|
