I'm not sure that the answers are still in place, but that may be confusing. I answer, in particular, to the part of your question that reads: "unavailable via the Internet." Here is my attempt to answer:
The web server, not PHP, listens on the socket and accepts connections. PHP can get connection information from $ _SERVER ( http://www.php.net/manual/en/reserved.variables.server.php ). Keep in mind that everything you check is related to where the connection came from - you cannot find out anything about whether your server is accessible through other IP addresses from $ _SERVER. For example, I can access a local Apache / PHP instance through any of:
So, if your plan is that the application should behave differently after seeing the "correct" value in $ _SERVER ["SERVER_ADDR"], you are probably pretty safe, that is, it is unlikely that the user can fake the user from the remote customer.
Having said all this, I would not use any of these methods to authenticate users or authorize user privileges / actions in a deployed application accessible via the Internet. The only exception may be if you have the entire application that should be accessible only when accessing from the local host - then this method probably makes good sense and will be safe enough for a personal application.
Errick
source share