Can Request.UserHostAddress.ToString() be spoofed ? asp.net 4.0 - iis 7.5

1.6k views Asked by At

I am getting the visitors ip with this method Request.UserHostAddress.ToString()

Are there any chance that it can be spoofed or used for sql injection. What are the risks and possibilities. thank you.

asp.net 4.0 , c# 4.0 , IIS 7.5

2

There are 2 answers

3
Eystein Bye On BEST ANSWER

No. The IP is from the socket with the web server. It can not be spoofed (for more then one request). If the IP was spoofed, the client could only send a request to the server and would never see the reply.

I can not see how it can be used in a SQL injection, even if it was used directly in your SQL statement. It is an IP-address even if it was fake, and could not be SQL code.

Summary:

Spoofing: If the user has to navigate in your site (make more then one page-call). Then his IP needs to be correct (not spoofed).

Injection: The user can not put just any value into UserHostAddress: it needs to be an IP-address, and therefore can not be harmful if injected into your SQL statement.

4
Kinexus On

The IP address itself can be spoofed, but extremely unlikely.

It cannot be used for SQL injection.