Can Request.UserHostAddress.ToString() be spoofed ? asp.net 4.0 - iis 7.5
https://stackoverflow.com/questions/8170830
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I am getting the visitors ip with this method Request.UserHostAddress.ToString()
Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.
asp.net 4.0 , c# 4.0 , IIS 7.5
Soluzione
No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.
I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.
Summary:
Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).
Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.
Altri suggerimenti
The IP address itself can be spoofed, but extremely unlikely.
It cannot be used for SQL injection.
