Getting started with PHP Variables Arrays Functional Programming Types Autoloading Primer Exception Handling and Error Reporting Working with Dates and Time Sending Email Sessions Cookies Classes and Objects Password Hashing Functions Output Buffering JSON SOAP Client Reflection Using cURL in PHP Dependency Injection XML Regular Expressions (regexp/PCRE)Traits Namespaces Parsing HTML Composer Dependency Manager Magic Methods Alternative Syntax for Control Structures File handling Magic Constants Type hinting Multi Threading Extension Filters & Filter Functions Generators Operators Constants UTF-8 URLs Object Serialization PHPDoc Contributing to the PHP Manual String Parsing Loops Control Structures Serialization Closure Reading Request Data Type juggling and Non-Strict Comparison Issues Security PHP MySQLi Command Line Interface (CLI)Localization Debugging Superglobal Variables PHP Unit Testing Variable Scope References Compilation of Errors and Warnings Installing a PHP environment on Windows Datetime Class Headers Manipulation Performance Common Errors Installing on Linux/Unix Environments Contributing to the PHP Core Coding Conventions Using MongoDB Asynchronous programming Using SQLSRV Unicode Support in PHP Functions Create PDF files in PHP How to Detect Client IP Address YAML in PHP Image Processing with GD Multiprocessing SOAP Server Machine learning Cache Streams Array iteration Cryptography PDO SQLite3 Sockets Outputting the Value of a Variable String formatting Compile PHP Extensions mongo-php Manipulating an Array Executing Upon an Array Processing Multiple Arrays Together SPL data structures Comments IMAP Using Redis with PHP Imagick SimpleXML HTTP Authentication Recipes BC Math (Binary Calculator)Docker deployment WebSockets APCu Design Patterns Secure Remeber Me php mysqli affected rows returns 0 when it should return a positive integer PHP Built in server How to break down an URL PSR

How to Detect Client IP Address

Proper use of HTTP_X_FORWARDED_FOR

In the light of the latest httpoxy vulnerabilities, there is another variable, that is widely misused.

HTTP_X_FORWARDED_FOR is often used to detect the client IP address, but without any additional checks, this can lead to security issues, especially when this IP is later used for authentication or in SQL queries without sanitization.

Most of the code samples available ignore the fact that HTTP_X_FORWARDED_FOR can actually be considered as information provided by the client itself and therefore is not a reliable source to detect clients IP address. Some of the samples do add a warning about the possible misuse, but still lack any additional check in the code itself.

So here is an example of function written in PHP, how to detect a client IP address, if you know that client may be behind a proxy and you know this proxy can be trusted. If you don't known any trusted proxies, you can just use REMOTE_ADDR

function get_client_ip()
{
    // Nothing to do without any reliable information
    if (!isset($_SERVER['REMOTE_ADDR'])) {
        return NULL;
    }
    
    // Header that is used by the trusted proxy to refer to
    // the original IP
    $proxy_header = "HTTP_X_FORWARDED_FOR";

    // List of all the proxies that are known to handle 'proxy_header'
    // in known, safe manner
    $trusted_proxies = array("2001:db8::1", "192.168.50.1");

    if (in_array($_SERVER['REMOTE_ADDR'], $trusted_proxies)) {
        
        // Get IP of the client behind trusted proxy
        if (array_key_exists($proxy_header, $_SERVER)) {

            // Header can contain multiple IP-s of proxies that are passed through.
            // Only the IP added by the last proxy (last IP in the list) can be trusted.
            $client_ip = trim(end(explode(",", $_SERVER[$proxy_header])));

            // Validate just in case
            if (filter_var($client_ip, FILTER_VALIDATE_IP)) {
                return $client_ip;
            } else {
                // Validation failed - beat the guy who configured the proxy or
                // the guy who created the trusted proxy list?
                // TODO: some error handling to notify about the need of punishment
            }
        }
    }

    // In all other cases, REMOTE_ADDR is the ONLY IP we can trust.
    return $_SERVER['REMOTE_ADDR'];
}

print get_client_ip();

Contributors

Topic Id: 5058

Example Ids: 17847

This site is not affiliated with any of the contributors.