Web development, scripts, source code and IT stuff
Get visitor IP address – PHP
Simple code of the day:
function getIp(){//obtain the ip // if getenv results in something, proxy detected if (getenv('HTTP_X_FORWARDED_FOR')) { $ip=getenv('HTTP_X_FORWARDED_FOR'); } else {// otherwise no proxy detected $ip=getenv('REMOTE_ADDR'); } return $ip; }
Anyway of doing this better?
I think it’s better to use the $_SERVER variable, anyway, the biggest problem I see is that you can’t trust HTTP_X_FORWARDED_FOR.
REMOTE_ADDR will always value the IP that connects to the server and can not be cheated.
HTTP_X_FORWARDED_FOR is set by HTTP headers, so you can not trust it. A malicious user is able to just put “0.0.0.0″ or any string he wants and if you are using your getIP() function to store logs you will be losing the trace of that user. Furthermore, as the malicious user is able to put any string on there, not just IPs, that can be used to hack something in you web app.
One of my apps was once hacked using HTTP_X_FORWARDED_FOR. I was trusting the value and someone put javascript code on it, making alert messages appearing on my site.
So I recommend to always store REMOTE_ADDR and if you want, store HTTP_X_FORWARDED_FOR as a plus, in a separate field, sanitizing the value.
mmm really interesting.
The problem here it’s if the remote_addr it’s blank?
What you should do then?
do you mind to paste here the code you use?
thanks!
REMOTE_ADDR as far as I know is never blank, it gives you who is connecting to your server, whatever the end point is (user or proxy)
I think is a good practice to store this value, wether the connection is from an user or not. Also, if you want, you can store the HTTP_X_FORWARDED_FOR value.
function get_show_ip() {
if(isset($_SERVER['HTTP_X_FORWARDED_FOR')) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return htmlspecialchars($ip);
}
$storeIP = $_SERVER['REMOTE_ADDR'];
$showIP = get_show_ip()
if($showIP == $storeIP) {
$storeForwarded = ‘No’;
} else {
$storeForwarded = $showIP;
}
$storeIP var is only for storing in the DB. $showIP is the IP that will be showed in you app. $storeForward is the data that you’ll store in your “Forwarded” field in the DB. You can also check if HTTP_X_FORWARDED_FOR is really an IP using preg_match and drop the value if the regexp does not match.
thanks this is really usefull ;)
for my app I only need the $_SERVER['REMOTE_ADDR'];, that’s all
Can someone please tell me where the code should be pasted please? Should I paste the code at the registration page or? Thanks. I think it is very useful to know member IPs for additional security.
I do it at the beginning of the script and I retrieve it always ;)
How can you use the above PHP code, for storing both the Remote address and Xforwarded IP’s from the proxies,
and I am trying to store it into a flat text file and not into a DB.
so, can anyone please post the code for the same.
i guess $ip needs to be called with fwrite and fread with the filename,
but i needed it in correct syntax.
as i am not good at PHP skills
Thanks in advance
That’s a bad idea…there’s going to be a moment were you can’t handle anymore the file since it’s too big….
Great write-up, but it doesn’t really to make use of my router ip, any hints?