Geek Answers Handbook

Will the value of the set $ _SERVER ['HTTP_CLIENT_IP'] be an empty string?

I have a simple script that determines the IP address of a user:

function GetIp(){ if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; }

Now on the web I saw someone using this script:

 if (isset($_SERVER['HTTP_CLIENT_IP']) && $_SERVER['HTTP_CLIENT_IP'] != '') $Ip = $_SERVER['HTTP_CLIENT_IP']; elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') $Ip = $_SERVER['HTTP_X_FORWARDED_FOR']; elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '') $Ip = $_SERVER['REMOTE_ADDR'];

I was wondering if my implementation was broken. Does it need to check if the value of $_SERVER['HTTP_CLIENT_IP'] , $_SERVER['HTTP_X_FORWARDED_FOR'] or $_SERVER['REMOTE_ADDR'] empty? Or is it really not necessary?

+7
source share
4 answers

If the reason you want to know the clientโ€™s IP address is really important, twist it all up.

Any of these header values โ€‹โ€‹can be faked freely.

REMOTE_ADDR is the only truly reliable information, as it is transmitted to you by your web server, which processes the request. Theoretically, you can falsify , but it is much more complicated than faking the value of the header and a completely different attack class.

There are exceptions in very, very specific hosting environments behind reverse proxies. In these cases, the person managing this proxy will be able to indicate which header value you need to check.

+12
source

From the Kohanas request class:

 if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND isset($_SERVER['REMOTE_ADDR']) AND in_array($_SERVER['REMOTE_ADDR'], Request::$trusted_proxies)) { // Use the forwarded IP address, typically set when the // client is using a proxy server. // Format: "X-Forwarded-For: client1, proxy1, proxy2" $client_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); Request::$client_ip = array_shift($client_ips); unset($client_ips); } elseif (isset($_SERVER['HTTP_CLIENT_IP']) AND isset($_SERVER['REMOTE_ADDR']) AND in_array($_SERVER['REMOTE_ADDR'], Request::$trusted_proxies)) { // Use the forwarded IP address, typically set when the // client is using a proxy server. $client_ips = explode(',', $_SERVER['HTTP_CLIENT_IP']); Request::$client_ip = array_shift($client_ips); unset($client_ips); } elseif (isset($_SERVER['REMOTE_ADDR'])) { // The remote IP address Request::$client_ip = $_SERVER['REMOTE_ADDR']; }

This is as good as it gets. Pay attention to the Request::$trusted_proxies and your $ip var Request::$client_ip in this case.

+8
source

Do not check the HTTP_* headers for the client IP address unless you specifically know that your application is configured for reverse proxy. Trusting the values โ€‹โ€‹of these headers will unconditionally allow users to spoof their IP address.

The only $_SERVER field containing the trusted value is REMOTE_ADDR .

+7
source

Two things are almost identical. In the found script, the author simply checks to see if the element is installed in the array before checking that it is not empty.

Regarding the use of the empty() function instead of comparing, check out http://php.net/empty . Since you are dealing with a variable set by the environment, and not with user input, it does not matter which of the two options you choose. So your script should be fine.

+1
source

More articles:


All Articles