Arlen Cuss
3/30/2008 8:30:00 AM
[Note: parts of this message were removed to make it a legal post.]
Hi,
On Sun, Mar 30, 2008 at 7:24 PM, Ben Aroia <benaroia@gmail.com> wrote:
> <?php
> echo "<input type=\"hidden\" name = \"ip\" value=\"".$REMOTE_ADDR."\" />
> <br />";
> ?>
> and then a
> ip = cgi['ip'] in the ruby script.
>
This is dangerous to rely on. From a security point of a view (why do you
want their IP anyway? question #1.), anyone could just submit a different
`ip' value and you'd record that.
See take Martin's advice as is: CGI.new.remote_addr will return the address
without it being submitted via the PHP script, hence this line of `attack'
is eliminated.
Cheers,
Arlen.