Solved

PHP IF ELSE Based on IP ?

Posted on 2014-10-07
4
149 Views
Last Modified: 2014-10-10
I want to allow myself a pass-thru to the Drupal login page.

Login page is at /user and my IP is the 69.

Here's part of the code. When i run it, I just get white page.

$ref = $_SERVER["HTTP_REFERER"];
if(!$user->uid) {
		$ip = $_SERVER['REMOTE_ADDR'] == 69.143.164.204)
		header ("https://navigator-dev.cap.gsa.gov/user");
		} else {
				if ($ref != 'https://hallways-dev.fas.gsa.gov/hallways/ITHardware')
				{
					drupal_goto("https://hallways-dev.fas.gsa.gov/hallways/homepage/welcome.html");
					exit();
				}else {
				$username=base64_decode($_GET['c']);
				if($username) {
				$myaccount = cas_user_load_by_name($username);
				if ($myaccount) {
				$user = user_load( $myaccount->uid);
					}
				}	
				}
			}
	}

Open in new window

0
Comment
Question by:sandshakimi
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 167 total points
ID: 40367079
You have an extra closing squiggly

And you need to wrap your IP in quotation marks

$ip = $_SERVER['REMOTE_ADDR'] == "69.143.164.204")
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
ID: 40367089
At a minimum you need to change these lines 3-4.  Deployed Drupal systems suppress error messages, so you may have some more work to do.  Perhaps you have an error_log file?
$ip = $_SERVER['REMOTE_ADDR'] == '69.143.164.204';
		header ("Location: https://navigator-dev.cap.gsa.gov/user");

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40367094
Wow, or maybe I'm mistaken.  Can you just tell us in plain language what you want to achieve - looking at the code that doesn't work is kind of confusing to me.
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 166 total points
ID: 40367289
I have some big concerns about your code snippet.

1. IP filtering is not safe. IPs can be spoofed. It's fine as an outer layer of security to simply exclude the basic riff-raff, but that should be it. Don't use it to allow any special access to your system.

2. Don't hardcode your own IP into a security system's code. You never know if your IP might change or you might be at a different location than you expected, and you could get locked out.

3. I see a base64_decode() on a $_GET parameter called "c" - and then that value is  passed into a function that loads a user by that username value and looks like it logs the person in. That looks REALLY sketchy. Anyone can encode/decode Base64 values extremely easily, so you not only run the risk of exposing usernames, but you might be exposing that user's information later on. Don't take values from $_GET without data sanitation and some checks to make sure that it's not been tampered with (use some simple hashing checksums).

4. Don't use HTTP_REFERER as part of your security. It can easily be spoofed.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now