PHP-based restricted IP voting program IP source analysis, ip voting. The IP address source of the restricted IP voting program implemented by PHP. in this article, we analyze the restricted ip voting program implemented by PHP. I would like to share it with you for your reference. The details are as follows: an analysis of the IP address source of the restricted IP address voting program implemented by a voting PHP program, and an ip address vote
This article analyzes the restricted IP address voting program implemented by PHP. We will share this with you for your reference. The details are as follows:
IP address restrictions are required for a voting activity. each IP address limits voting opportunities. I searched for the keyword: PHP client IP address on the search engine, and the results are basically the following:
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { $onlineip = getenv('HTTP_CLIENT_IP');} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { $onlineip = getenv('HTTP_X_FORWARDED_FOR');} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { $onlineip = getenv('REMOTE_ADDR');} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) { $onlineip = $_SERVER['REMOTE_ADDR'];}
This code is used in a wide range of discuz forum software and many open-source PHP software, the general idea is to obtain the final client IP address (the IP address of the user who can access it using a proxy ).
Many mature programs use this code to obtain the IP address of the client, so I can safely use it in the program. Fortunately, some colleagues reminded me later that, this code cannot be used in the voting program that restricts IP addresses, because HTTP_X_FORWARDED_FOR can be forged, as long as X-Forwarded-For is added to the request header. On the SERVER side, $ _ SERVER ['http _ X_FORWARDED_FOR '] receives the content of this request header.
The following is a description of the program:
Http: // localhost/I. php content is obtained through the above code and printed out.
Write the construction request generation? request this URL: The X-Forwarded-For parameter is added to the request header:
$head = array();$head[] = 'GET /i.php HTTP/1.1';$head[] = 'Host: localhost';$head[] = 'X-Forwarded-For: 255.255.255.255' ;$head[] = 'Connection: Close' ;$head = join("rn",$head) ;$head .= "rnrn";$fp = fsockopen('localhost', 80);fwrite($fp, $head);$response = array() ;while($buff = fread($fp, 4096)){ $response[] = $buff;}print join('',$response) ;
After executing this code, we can see that the server (localhost/I. php) prints 255.255.255.255.
It indicates that this method of obtaining the client IP address is not available in the voting activity of the restricted IP address, and the client IP address can be forged. Although $ _ SERVER ['remote _ ADDR '] is not the final IP address of the user, the restricted function is effective directly.
Of course, it cannot be said that the code is wrong. In some requirements that do not limit the IP address, you should use it. for example, in some websites with many regional sub-websites, directly jump to the sub-website in the user's region.