Are you blind look at the code again it checks to see if the IP Is in the list of trusted proxies before using that code. Like I said you only run that code for trusted proxies. There is nothing wrong with the code you just have to use it the right way.
public function getClientIps()
{
$ip...
Dude we are just gonna keep going back and forth. If it's better to do it that way how come Zend, CakePHP, Laravel, and Symfony don't do this.
You can think that validation is going to work but i guarantee your validation is not gonna work, and yes you can SPOOF the HTTP variable.
I am telling you what i can do if you check use the `HTTP_` vars (spoofing). They are unsafe.
The best and only way to check to see if `REMOTE_ADDR` is a trusted proxy, if it is then you get 'X_FORWARDED_ALL' header and use that. If it's not then you use `REMOTE_ADDR`. That's the bottom line...
Please read https://paragonie.com/blog/2015/04/fast-track-safe-and-secure-php-sessions.
`REMOTE_ADDR` is good for session locking.
It's an old post so i emailed them and they said its good.
So using an `HTTP_` var is better. The var that can be spoofed. Read https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html.
1570130764
`REMOTE_ADDR` is the most reliable way to get the users IP address, if it's a TRUSTED proxy then you check the proxy header. Notice all the...
This is extra validation that is not needed, if you first check the `HTTP_` vars i can spoof any IP. ANY is the key word. Even a valid IP that is not mine. The reason `REMOTE_ADDR` is the best option is it can not be spoofed. Apache populates `REMOTE_ADDR` from a TCP socket that it uses to...
What does my code look like?
1569969002
I think i found your way.
https://devbest.com/threads/php-pdo-vpn-proxy-restriction.81429/
And you know you only run this against TRUSTED proxies. Key word.
Why? any HTTP headers come from the client and can be spoofed.
Look at...
Not the proper way lol. I want you to show me the proper way lol. That's funny.
Well i wrote that code in 2 hours. Maybe after updating it will be better lol.
You might be the one late.
Does not look like what? From the looks at it you do not know what the slash is. It does not escape lol...
I mentioned namespaces because it's the main reason why i
. Also laravel is not very good in standalone use. My components are. Also i can build a framework given time that's faster than laravel. I have a lot more experience than you think :).
The slashes avoid naming collisions.
https://stackoverflow.com/questions/3384204/what-are-namespaces/3384384#3384384
It's also a security enhancement due to the fact of I did not use slashes and the code was vulnerable to code injection they could inject code to modify the function. Now if...
Kooser Directory.
A PDO wrapper for secure connections.
<https://packagist.org/packages/kooser/directory>.
Features:
- Connection Manager
- SQL handler
Why:
This library makes the connection manager as well as the SQL handler injectable through service containers to make web developement...
Kooser PasswordLock.
Secure your password using password lock.
<https://packagist.org/packages/kooser/password-lock>.
Features:
- Argon2id Hasher
- Argon2i Hasher.
- Bcrypt Hasher.
- Pbkdf2 Hahser.
Why:
This library makes the hasher injectable through service containers to make web...