«
»

Get visitor IP address – PHP

January 26, 2010, 11:42 PM

Simple code of the day:

function getIp(){//obtain the ip
		// if getenv results in something, proxy detected
		if (getenv('HTTP_X_FORWARDED_FOR')) {
			$ip=getenv('HTTP_X_FORWARDED_FOR');
		}
		else {// otherwise no proxy detected
			$ip=getenv('REMOTE_ADDR');
		}
 
		return $ip;
}

Anyway of doing this better?

Related Posts Related Websites
Help sharing and Flatter me ;)

Share
Category: PHP  |  Comment (RSS)  |  Trackback

6 Comments

  1. Nenillo says:
    January 27, 2010 at 2:36 PM

    I think it’s better to use the $_SERVER variable, anyway, the biggest problem I see is that you can’t trust HTTP_X_FORWARDED_FOR.

    REMOTE_ADDR will always value the IP that connects to the server and can not be cheated.

    HTTP_X_FORWARDED_FOR is set by HTTP headers, so you can not trust it. A malicious user is able to just put “0.0.0.0″ or any string he wants and if you are using your getIP() function to store logs you will be losing the trace of that user. Furthermore, as the malicious user is able to put any string on there, not just IPs, that can be used to hack something in you web app.

    One of my apps was once hacked using HTTP_X_FORWARDED_FOR. I was trusting the value and someone put javascript code on it, making alert messages appearing on my site.

    So I recommend to always store REMOTE_ADDR and if you want, store HTTP_X_FORWARDED_FOR as a plus, in a separate field, sanitizing the value.

  2. Chema says:
    January 27, 2010 at 3:23 PM

    mmm really interesting.

    The problem here it’s if the remote_addr it’s blank?

    What you should do then?

    do you mind to paste here the code you use?

    thanks!

  3. Nenillo says:
    January 27, 2010 at 3:43 PM

    REMOTE_ADDR as far as I know is never blank, it gives you who is connecting to your server, whatever the end point is (user or proxy)

    I think is a good practice to store this value, wether the connection is from an user or not. Also, if you want, you can store the HTTP_X_FORWARDED_FOR value.

    function get_show_ip() {
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR')) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
    $ip = $_SERVER['REMOTE_ADDR'];
    }
    return htmlspecialchars($ip);
    }

    $storeIP = $_SERVER['REMOTE_ADDR'];
    $showIP = get_show_ip()
    if($showIP == $storeIP) {
    $storeForwarded = ‘No’;
    } else {
    $storeForwarded = $showIP;
    }

    $storeIP var is only for storing in the DB. $showIP is the IP that will be showed in you app. $storeForward is the data that you’ll store in your “Forwarded” field in the DB. You can also check if HTTP_X_FORWARDED_FOR is really an IP using preg_match and drop the value if the regexp does not match.

  4. Chema says:
    January 27, 2010 at 5:30 PM

    thanks this is really usefull ;)

    for my app I only need the $_SERVER['REMOTE_ADDR'];, that’s all

  5. sas says:
    July 15, 2010 at 11:51 AM

    Can someone please tell me where the code should be pasted please? Should I paste the code at the registration page or? Thanks. I think it is very useful to know member IPs for additional security.

  6. Chema says:
    July 15, 2010 at 11:55 AM

    I do it at the beginning of the script and I retrieve it always ;)

Leave a Reply

Follow me