Comments on: Get visitor IP address – PHP

By: router ip address

router ip address — Mon, 14 Feb 2011 22:00:34 +0000

Great write-up, but it doesn’t really to make use of my router ip, any hints?

By: Chema

Chema — Sat, 02 Oct 2010 07:27:50 +0000

That’s a bad idea…there’s going to be a moment were you can’t handle anymore the file since it’s too big….

By: Nitin

Nitin — Fri, 01 Oct 2010 17:33:49 +0000

How can you use the above PHP code, for storing both the Remote address and Xforwarded IP’s from the proxies,
and I am trying to store it into a flat text file and not into a DB.

so, can anyone please post the code for the same.
i guess $ip needs to be called with fwrite and fread with the filename,
but i needed it in correct syntax.
as i am not good at PHP skills

Thanks in advance

By: Chema

Chema — Thu, 15 Jul 2010 09:55:07 +0000

I do it at the beginning of the script and I retrieve it always ;)

By: sas

sas — Thu, 15 Jul 2010 09:51:59 +0000

Can someone please tell me where the code should be pasted please? Should I paste the code at the registration page or? Thanks. I think it is very useful to know member IPs for additional security.

By: Chema

Chema — Wed, 27 Jan 2010 16:30:04 +0000

thanks this is really usefull ;)

for my app I only need the $_SERVER['REMOTE_ADDR'];, that’s all

By: Nenillo

Nenillo — Wed, 27 Jan 2010 14:43:51 +0000

REMOTE_ADDR as far as I know is never blank, it gives you who is connecting to your server, whatever the end point is (user or proxy)

I think is a good practice to store this value, wether the connection is from an user or not. Also, if you want, you can store the HTTP_X_FORWARDED_FOR value.

function get_show_ip() {
if(isset($_SERVER['HTTP_X_FORWARDED_FOR')) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return htmlspecialchars($ip);
}

$storeIP = $_SERVER['REMOTE_ADDR'];
$showIP = get_show_ip()
if($showIP == $storeIP) {
$storeForwarded = ‘No’;
} else {
$storeForwarded = $showIP;
}

$storeIP var is only for storing in the DB. $showIP is the IP that will be showed in you app. $storeForward is the data that you’ll store in your “Forwarded” field in the DB. You can also check if HTTP_X_FORWARDED_FOR is really an IP using preg_match and drop the value if the regexp does not match.

By: Chema

Chema — Wed, 27 Jan 2010 14:23:34 +0000

mmm really interesting.

The problem here it’s if the remote_addr it’s blank?

What you should do then?

do you mind to paste here the code you use?

thanks!

By: Nenillo

Nenillo — Wed, 27 Jan 2010 13:36:51 +0000

I think it’s better to use the $_SERVER variable, anyway, the biggest problem I see is that you can’t trust HTTP_X_FORWARDED_FOR.

REMOTE_ADDR will always value the IP that connects to the server and can not be cheated.

HTTP_X_FORWARDED_FOR is set by HTTP headers, so you can not trust it. A malicious user is able to just put “0.0.0.0″ or any string he wants and if you are using your getIP() function to store logs you will be losing the trace of that user. Furthermore, as the malicious user is able to put any string on there, not just IPs, that can be used to hack something in you web app.

One of my apps was once hacked using HTTP_X_FORWARDED_FOR. I was trusting the value and someone put javascript code on it, making alert messages appearing on my site.

So I recommend to always store REMOTE_ADDR and if you want, store HTTP_X_FORWARDED_FOR as a plus, in a separate field, sanitizing the value.