Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am getting the visitors ip with this method Request.UserHostAddress.ToString()
Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.
asp.net 4.0 , c# 4.0 , IIS 7.5
No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.
I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.
Summary:
Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).
Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.