I have such a big problem, and i’ve been thinking about it for 2 days. I wrote a small class about catching unregistered (guest) users who can try SQL injection attack throught the URL and after 2 experiments their IP is blocked in my DB (so in array i store some signs),
$blockSigns = array ("'", "/", "\", ":", "//", "and so on");
but:
- IP is not good solution (PHP cannot see LAN IP_s if server is under proxy), and even it can I cannot block it. I cannot block 192.168.1.10 🙂
- I don’t need WAN IP because, i cannot block site for a company because of one n00b.
- PHP cannot catch Mac address (mac isnot included in header)
- I want to block users that are guests also, so i don’t know their usernames or mail or something
if (isset($_SESSION[“user”])) {
$user = $_SESSION[“user”]; } else {
$user = “unknown”; }
-
I read that perl has some API called NET::MAC,
I decided to find user mac address by perl and integrate it in PHP. Is it possible?
if is, please how? I cannot understand.
if not:
how can I fix that problem? how can i identify user, if he/she isnot registered? is there any chance? please share your experience if you already had that kind of problem. thanks in advance…
It is impossible to get the MAC address of a user. The only mac address your server sees is that of the router it is connected to. And if you blocked this, you’d block all traffic coming to your server.
So as @Jon said, if your application is secure you shouldn’t have to care about people trying to inject things.
Your way to detect SQL injection is horribly by the way. Especially
'and:but also the other characters are perfectly valid in most contexts. For example, a user’s real name might include'. However, you do not need to add such detection code at all – if you escape all untrusted input properly or you use prepared statements for your queries (better) your application is not vulnerable to SQL injection at all.