TechQA.

Can Request.UserHostAddress.ToString() be spoofed ? asp.net 4.0 - iis 7.5

1.6k views Asked by At

I am getting the visitors ip with this method Request.UserHostAddress.ToString()

Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.

asp.net 4.0 , c# 4.0 , IIS 7.5

asp.net request ip spoof
Original Q&A
2

There are 2 answers

3
Eystein Bye On BEST ANSWER

No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.

I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.

Summary:

Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).

Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.

4
Kinexus On

The IP address itself can be spoofed, but extremely unlikely.

It cannot be used for SQL injection.

Related Questions in ASP.NET

Related Questions in REQUEST

Related Questions in IP

Related Questions in SPOOF

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions