Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PHP IF ELSE Based on IP ?

Posted on 2014-10-07
4
Medium Priority
?
180 Views
Last Modified: 2014-10-10
I want to allow myself a pass-thru to the Drupal login page.

Login page is at /user and my IP is the 69.

Here's part of the code. When i run it, I just get white page.

$ref = $_SERVER["HTTP_REFERER"];
if(!$user->uid) {
		$ip = $_SERVER['REMOTE_ADDR'] == 69.143.164.204)
		header ("https://navigator-dev.cap.gsa.gov/user");
		} else {
				if ($ref != 'https://hallways-dev.fas.gsa.gov/hallways/ITHardware')
				{
					drupal_goto("https://hallways-dev.fas.gsa.gov/hallways/homepage/welcome.html");
					exit();
				}else {
				$username=base64_decode($_GET['c']);
				if($username) {
				$myaccount = cas_user_load_by_name($username);
				if ($myaccount) {
				$user = user_load( $myaccount->uid);
					}
				}	
				}
			}
	}

Open in new window

0
Comment
Question by:sandshakimi
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 668 total points
ID: 40367079
You have an extra closing squiggly

And you need to wrap your IP in quotation marks

$ip = $_SERVER['REMOTE_ADDR'] == "69.143.164.204")
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 668 total points
ID: 40367089
At a minimum you need to change these lines 3-4.  Deployed Drupal systems suppress error messages, so you may have some more work to do.  Perhaps you have an error_log file?
$ip = $_SERVER['REMOTE_ADDR'] == '69.143.164.204';
		header ("Location: https://navigator-dev.cap.gsa.gov/user");

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40367094
Wow, or maybe I'm mistaken.  Can you just tell us in plain language what you want to achieve - looking at the code that doesn't work is kind of confusing to me.
0
 
LVL 36

Assisted Solution

by:gr8gonzo
gr8gonzo earned 664 total points
ID: 40367289
I have some big concerns about your code snippet.

1. IP filtering is not safe. IPs can be spoofed. It's fine as an outer layer of security to simply exclude the basic riff-raff, but that should be it. Don't use it to allow any special access to your system.

2. Don't hardcode your own IP into a security system's code. You never know if your IP might change or you might be at a different location than you expected, and you could get locked out.

3. I see a base64_decode() on a $_GET parameter called "c" - and then that value is  passed into a function that loads a user by that username value and looks like it logs the person in. That looks REALLY sketchy. Anyone can encode/decode Base64 values extremely easily, so you not only run the risk of exposing usernames, but you might be exposing that user's information later on. Don't take values from $_GET without data sanitation and some checks to make sure that it's not been tampered with (use some simple hashing checksums).

4. Don't use HTTP_REFERER as part of your security. It can easily be spoofed.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
In the below post we have mentioned the best hosting type for startups. Also, check out some of the superlative web hosting companies that are proposing affordable web hosting solutions to host your startup website.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question