Simple IP logging script

jellyfish

This is a simple IP logging script that i written, just hope that some of u could help to check if there is anything wrong with this script

<?php
$log_file = "ip.txt"; 
$ip = getenv('REMOTE_ADDR'); 
$fp = fopen("$log_file", "a");
fputs($fp, "$iprn");
flock($fp, 3); 
fclose($fp);
PRINT("Your Ip was logged.....$ip"); 
?>

drawmack

I see a couple of things:

1) You are opening the file in the same directory as the script is in, this means that php has write access to a directory that is accessible via a browser. Therefor, a novice hacker could destroy your site by writting their own php file to this directory then browsing to it.

2) While not truely necessary you should check if the file exists before you open it and if it does not exist create it and chmod it 777. That way you can modify the file through ftp instead of needing a php interface to modify it.

3) You lock the file after you've already written to it, which makes no sense. The only reason to lock a file is so that two writes don't happen at once.

jellyfish

Originally posted by drawmack
I see a couple of things:

1) You are opening the file in the same directory as the script is in, this means that php has write access to a directory that is accessible via a browser. Therefor, a novice hacker could destroy your site by writting their own php file to this directory then browsing to it.

2) While not truely necessary you should check if the file exists before you open it and if it does not exist create it and chmod it 777. That way you can modify the file through ftp instead of needing a php interface to modify it.

3) You lock the file after you've already written to it, which makes no sense. The only reason to lock a file is so that two writes don't happen at once.

erm... when i create the txt file i already chmod it to 777 sry for forgetting to state that.:p

if this logging script is include in my main page using
<?php
include("scriptname")
?>
would it be safer?

sry for the questions as i am really new to php language😃

drawmack

if php has write permissions in directories that can be accessed via a web browser then your site will never be secure period.

jellyfish

Originally posted by drawmack
if php has write permissions in directories that can be accessed via a web browser then your site will never be secure period.

then how do i solve this problem?? i want to be able to log the user's IP but also create a site that is safe