$host = $_SERVER['HTTP_HOST'];
$ip = $_SERVER['REMOTE_ADDR'];
preg_match("/[^\.\/]+\.[^\.\/]+$/", $host, $matches);
$domain = $matches[0];
$url = explode($domain, $host);
$subdomain = str_replace('.', ' ', $url[0]);
I'm using this to grab the current subdomains as a formatted string.
Do I need to sanitize it much more than this if I want to insert$subdomaininto a mysql table for analytics?
I would assume there is really no way to perform an SQL injection inside the host section of a URL because any special characters will just break the initial DNS query/browser request, right? In Chrome, this would just perform a Google search for the URL instead of loading and other browsers would just say it's an invalid URL.
>>58055626
Also, I guess, same thing with$_SERVER['REMOTE_ADDR']?
I know things like the user agent are easily exploitable but I never sanitize this because I just assume it's not possible to exploit.
>>58055626
>>58055640
There's a built in function for this you retard: mysqli_escape_string($db, $string).
Why are you even using php for this in the first place when you can just view the webserver logs?
>>58055905
Yes, I am very aware of that, thanks.
The procedure in OP isn't for sanitization - it's because I need it as an array for later on. Re-read the question.
I'm using PHP because it can provide me more information than Apache logs do.
>>58055918
Everything you've shown so far can be logged with nginx and I'm sure apache can do the same.
>>58055969
I chose database storage because it's not just for logging purposes. Other parts of my site will take this information via SELECT and perform some interesting analytics and access control operations on it automatically.
>>58055640
>I never sanitize this
fuck me
You should be sanitizing everything you put into a database. If you're building queries manually by concatenating strings you are doing it wrong.
here's a good php sanitation commandfind . -iname '*.php' -delete
>>58056249
Ayy lmoa