| Subject: | This class can be dangerous for... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 2 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2010-08-17 09:12:20 |
|---|
| Update: | 2010-08-17 09:43:22 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Insufficient |
|---|
|
|
 Artur Graniszewski - 2010-08-17 09:12:20 This class can be dangerous for non-pro developers.
Firstly: there is a security flaw in IP detection alghoritm: it's checking for X-Forwarded-For and Client-Ip HTTP headers (ignoring REMOTE_ADDR if one of them is found). Those IP's can be easily spoofed by sending custom HTTP headers like so (pseudo code):
GET / HTTP/1.0
Host: test.com
Forwarder-For: 127.0.0.1
Secondly: this code is a mess, why someone should check $_SERVER superglobal and then use getenv() function, if this function also checks this array (plus $_ENV). Additionally, getenv() is case insensitive, which for example helps on Windows envioronment.
Lastly: why do you use $this->localiza=$ipv;return $this->localiza. localiza is defined as private, and you do not use it for reading, but for writing (setting) only.
Summary: I do not recommend using this class because of security reasons.
 Juan Chaves - 2010-08-17 09:43:22 - In reply to message 1 from Artur GraniszewskiThanks a lot for your feedback.
I am new to classes (in fact, this was my first one). Your comments motivate me to go into deeper detail and to do all necessary changes until I get a good class.
|
