Solved

PHP IF ELSE Based on IP ?

Posted on 2014-10-07
4
153 Views
Last Modified: 2014-10-10
I want to allow myself a pass-thru to the Drupal login page.

Login page is at /user and my IP is the 69.

Here's part of the code. When i run it, I just get white page.

$ref = $_SERVER["HTTP_REFERER"];
if(!$user->uid) {
		$ip = $_SERVER['REMOTE_ADDR'] == 69.143.164.204)
		header ("https://navigator-dev.cap.gsa.gov/user");
		} else {
				if ($ref != 'https://hallways-dev.fas.gsa.gov/hallways/ITHardware')
				{
					drupal_goto("https://hallways-dev.fas.gsa.gov/hallways/homepage/welcome.html");
					exit();
				}else {
				$username=base64_decode($_GET['c']);
				if($username) {
				$myaccount = cas_user_load_by_name($username);
				if ($myaccount) {
				$user = user_load( $myaccount->uid);
					}
				}	
				}
			}
	}

Open in new window

0
Comment
Question by:sandshakimi
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 167 total points
ID: 40367079
You have an extra closing squiggly

And you need to wrap your IP in quotation marks

$ip = $_SERVER['REMOTE_ADDR'] == "69.143.164.204")
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
ID: 40367089
At a minimum you need to change these lines 3-4.  Deployed Drupal systems suppress error messages, so you may have some more work to do.  Perhaps you have an error_log file?
$ip = $_SERVER['REMOTE_ADDR'] == '69.143.164.204';
		header ("Location: https://navigator-dev.cap.gsa.gov/user");

Open in new window

0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40367094
Wow, or maybe I'm mistaken.  Can you just tell us in plain language what you want to achieve - looking at the code that doesn't work is kind of confusing to me.
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 166 total points
ID: 40367289
I have some big concerns about your code snippet.

1. IP filtering is not safe. IPs can be spoofed. It's fine as an outer layer of security to simply exclude the basic riff-raff, but that should be it. Don't use it to allow any special access to your system.

2. Don't hardcode your own IP into a security system's code. You never know if your IP might change or you might be at a different location than you expected, and you could get locked out.

3. I see a base64_decode() on a $_GET parameter called "c" - and then that value is  passed into a function that loads a user by that username value and looks like it logs the person in. That looks REALLY sketchy. Anyone can encode/decode Base64 values extremely easily, so you not only run the risk of exposing usernames, but you might be exposing that user's information later on. Don't take values from $_GET without data sanitation and some checks to make sure that it's not been tampered with (use some simple hashing checksums).

4. Don't use HTTP_REFERER as part of your security. It can easily be spoofed.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question