Learn how PHP obtains client IP

This article explains how to get the client IP through PHP

Get the IP function as follows:

function GetIP () {    $realip = ';//Set default value    if (isset ($_server[' http_x_forwarded_for ')) {        $realip = $_server[ ' Http_x_forwarded_for '];    } ElseIf (Isset ($_server[' http_client_ip ')) {        $realip = $_server[' http_client_ip '];    } else {        $realip = $_ server[' remote_addr ');    }    Preg_match ('/^ (?: \ \ D{1,3}\.) {3}\d{1,3})/', $realip, $match);        if ($match && iptype ($match [0]) = = ' Internet network address ') {                return  $match [0];        } else{                return  false;        }}

Internet allows use of IP address

function Iptype ($ip) {$iplist = Explode (".", $ip);        if ($iplist [0] >= 224 && $iplist [0] <= 239) return ' multicast ';    if ($iplist [0] >= && $iplist [0] <= 255) return ' reserved ';    if (Preg_match ('/^198\.51\.100/', $ip)) return ' test-net-2, documents and examples ';    if (Preg_match ('/^203\.0\.113/', $ip)) return ' test-net-3, documents and examples '; if (Preg_match ('/^192\.    18|19) (\./', $ip)) return ' network benchmark ';    if (Preg_match ('/^192\.168/', $ip)) return ' private network [intranet] ';    if (Preg_match ('/^192\.88\.99/', $ip)) return ' ipv6to4 relay ';    if (Preg_match ('/^192\.0\.2\./', $ip)) return ' test-net-1, documents and examples ';    if (Preg_match ('/^192\.0\.0\./', $ip)) return ' reserved (IANA) ';    if (Preg_match ('/^192\.0\.0\./', $ip)) return ' reserved (IANA) ';    if ($iplist [0] = = 172 && $iplist [1] <= && $iplist [1] >=) return ' private network [intranet] ';    if ($iplist [0] = = 169 && $iplist [1] = = 254) return ' link local '; if ($ipList[0] = = 127) return ' loopback address ';    if ($iplist [0] = = Ten) return ' private network [intranet] ';    if ($iplist [0] = = 0) return ' This network (valid only as source address) '; Return ' Internet network Address ';}

Common access to IP functions on the Web is as follows:

Public Function Get_real_ip () {    static $realip;    if (Isset ($_server)) {        if (isset ($_server[' http_x_forwarded_for ')) {            $realip = $_server[' Http_x_forwarded_ For '];        } else if (isset ($_server[' http_client_ip ')) {            $realip = $_server[' http_client_ip '];        } else {            $realip = $_ server[' REMOTE_ADDR ';        }    } else {        if (getenv (' http_x_forwarded_for ')) {            $realip = getenv (' http_x_forwarded_for ');        } else if ( getenv (' http_client_ip ')) {            $realip = getenv (' http_client_ip ');        } else {            $realip = getenv (' Remote_ ADDR ');        }    }    return $realip;}

The difference between ' remote_addr ', ' http_x_forwarded_for ', ' http_client_ip '?

1. ' REMOTE_ADDR ' is the remote IP, the default from the TCP connection is the IP of the client. It can be said that it is most accurate, OK, and will only get the client IP directly connected to the server. If the other side through the proxy server online, it is found. Get to the proxy server IP.

such as: A->b (proxy)->c, if C through ' remote_addr ', can only get to the IP of B, get less than the IP of a.

2. ' Http_x_forwarded_for ', ' http_client_ip ' in order to be able to get to the most original user IP in a large network, or proxy IP address. Extend the HTTP protocol. Defines the entity header.

Http_x_forwarded_for = Clientip,proxy1,proxy2 all IPs with "," split. HTTP_CLIENT_IP in the Advanced anonymous proxy, this represents the proxy server IP. Since the HTTP protocol extends an entity header, and this value is trusted for the incoming side, trust the incoming party to enter it in the regular format. The following is illustrated in the X_forword_for example, which, under normal circumstances, changes the value of the process.

The risk point lies in:

These variables, from the HTTP request: X-forword-for field, and the Client-ip field. The normal proxy server will, of course, pass these values in accordance with the RFC specification. However, when a user constructs the X-forword-for value directly, it is sent to the user, which is like having a field that can write to any value directly. and the server reads directly, or writes to the database, or makes the display. It will pose a risk, as is the case with normal input inputs without any filtering detection, as well as manipulating data source results.

For the above GetIP function:

In addition to the client can arbitrarily spoof IP, and can be passed in any format IP. This results in 2 big problems, one of which is if you set up a page and do IP restrictions. The other side can easily modify the IP to constantly request the page. Second, if you use this kind of data directly, it will bring SQL registration, cross-site attacks and other vulnerabilities. As for one, you can limit your business, preferably without using IP restrictions. For the second, this kind can bring huge network risk. We must correct them.

This article explains how to get client IP through PHP, and more about the PHP Chinese web.