Getting real IP address in PHP
Posted on December 27, 2007
Filed Under how-to, php, tips and technique
Are you using $_SERVER['REMOTE_ADDR'] to find the the client’s IP address in PHP? Well dude, you might be amazed to know that it may not return the true IP address of the client at all time. If your client is connected to the Internet through Proxy Server then $_SERVER['REMOTE_ADDR'] in PHP just returns the the IP address of the proxy server not of the client’s machine. So here is a simple function in PHP to find the real IP address of the client’s machine. There are extra Server variable which might be available to determine the exact IP address of the client’s machine in PHP, they are HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR.
Function to find real IP address in PHP
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP']))
//check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
//to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
In this PHP function, first attempt is to get the direct IP address of client’s machine, if not available then try for forwarded for IP address using HTTP_X_FORWARDED_FOR. And if this is also not available, then finally get the IP address using REMOTE_ADDR.
Popularity: 93% [?]
If you like this post then please subscribe to my full RSS feed . You can also subscribe by email and have new posts sent directly to your inbox.
Related Posts
» 8 useful server variables available in PHP
» Ip address validation in PHP using regular expression
» Show text “Password” instead of “********” in the password field
» How to redirect browser to https (ssl) in php
Comments
16 Responses to “Getting real IP address in PHP”
Leave a Reply
-
Rss and Readers
-
Affiliates
Subscribe in a reader-
Sponsors
1) You forgot to return $ip
2) The problem with “HTTP_” headers is that they can easily be faked by the client. I could make your function belive I have any address, simply by sending it an X-Forwarded-For header. Here’s a little proof of concept (what you see is a script that echoes the return value of your function):
ovidiu@ovidiu-desktop:~$ telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET /delme/ HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 01 Jan 2008 14:54:49 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.2
X-Powered-By: PHP/5.2.3-1ubuntu6.2
Content-Length: 10
Connection: close
Content-Type: text/html
127.0.0.1
Connection closed by foreign host.
ovidiu@ovidiu-desktop:~$ telnet localhost 80
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET /delme/ HTTP/1.0
X-Forwarded-For: 10.0.0.1
HTTP/1.1 200 OK
Date: Tue, 01 Jan 2008 14:55:27 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.2
X-Powered-By: PHP/5.2.3-1ubuntu6.2
Content-Length: 9
Connection: close
Content-Type: text/html
10.0.0.1
Connection closed by foreign host.
ovidiu@ovidiu-desktop:~$
Of course, in real life you wouldn’t use telnet. That was just a demonstration. You would send that header using cURL or fsockopen(). You could generate IP addresses randomly and fool the script every time.
Thanks for figuring out the missing return statement, i’ve placed it in the code now.
And you’re right about “HTTP_” headers, they can easily be faked.
And, if you really want to fake the IP address then you can easily do it by browing the web anynomously with fake proxy server. You can find lots of such websites which allows you to browse the web anynomously.
Although we are trusting the user not to spoof the HTTP headers, there is another flaw depending on what you want from this function. Very often you’ll just get a 192.168.*.* or 10.*.*.* address, telling you just the private address the client got from their DHCP server.
I’ve written a Perl module that uses NetAddr::IP to determine if an IP address is private or public. I then check each of HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR and REMOTE_ADDR and return the first one that is public. If none of them are public I return REMOTE_ADDR.
Hi there…Thanks for the nice read, keep up the interesting posts..what a nice Friday
So, dear Php Gurus, what’s the final code? Please let me know.
Hey!…Thanks for the nice read, keep up the interesting posts..what a nice Saturday
[...] Getting real IP address in PHP Mostly got this for the comments (tags: ip php) [...]
There are much more headers that you can check if someone is using proxy. Thes is what I know:
HTTP_PRAGMA, HTTP_XONNECTION, HTTP_CACHE_INFO, HTTP_XPROXY, HTTP_PROXY, HTTP_PROXY_CONNECTION, HTTP_CLIENT_IP, HTTP_VIA, HTTP_X_COMING_FROM, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_COMING_FROM, HTTP_FORWARDED_FOR, HTTP_FORWARDED, ZHTTP_CACHE_CONTROL
Hi there…Man i love reading your blog, interesting posts ! it was a great Saturday
Hello…I Googled for benji smith, but found your page about …and have to say thanks. nice read.
I love magic!
function getIpAddress() {
return (empty($_SERVER['HTTP_CLIENT_IP'])?(empty($_SERVER['HTTP_X_FORWARDED_FOR'])?
$_SERVER['REMOTE_ADDR']:$_SERVER['HTTP_X_FORWARDED_FOR']):$_SERVER['HTTP_CLIENT_IP']);
}
How to get the username and computer name using PHP..? Thanks In advance
if the user is using WAN then you can use gethostbyaddr($_SERVER['REMOTE_ADDR']); to get the hostname , in LAN it’s not possible.
It is possible to find said information on a LAN, it just has to be a LAN with reverse DNS for all machines in the DNS servers. This should also be possible with zeroconf (also under many other names) networking, but I don’t believe PHP functions exist for this yet.
[...] Getting real IP address in PHP | ip php (tags: ipaddress) [...]
[...] 7) $_SERVER['REMOTE_ADDR'] - Returns the IP address of remote machine accessing the current page. But you can’t relie on $_SERVER['REMOTE_ADDR'] to get the real IP address of client’s machine. See this article to know how to get real IP addrees in PHP. [...]