Understand how to get client IP in php

This article explains how to obtain the client IP through php

The function to obtain the IP is as follows:

function getIP() {
    $realip = ''; //设置默认值
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
        $realip = $_SERVER['HTTP_CLIENT_IP'];
    } else {
        $realip = $_SERVER['REMOTE_ADDR'];
    }
    preg_match('/^((?:\d{1,3}\.){3}\d{1,3})/',$realip,$match);
        if($match && ipType($match[0]) == 'InterNet网地址'){
                return  $match[0];
        }else{
                return  false;
        }
}

// The Internet allows the use of IP addresses

function ipType($ip) {
    $iplist = explode(".", $ip);
    if ($iplist[0] >= 224 && $iplist[0] <= 239)
                return &#39;多播&#39;;
        if ($iplist[0] >= 240 && $iplist[0] <= 255)
        return &#39;保留&#39;;
    if (preg_match(&#39;/^198\.51\.100/&#39;, $ip))
        return &#39;TEST-NET-2，文档和示例&#39;;
    if (preg_match(&#39;/^203\.0\.113/&#39;, $ip))
        return &#39;TEST-NET-3，文档和示例&#39;;
    if (preg_match(&#39;/^192\.(18|19)\./&#39;, $ip))
        return &#39;网络基准测试&#39;;
    if (preg_match(&#39;/^192\.168/&#39;, $ip))
        return &#39;专用网络[内部网]&#39;;
    if (preg_match(&#39;/^192\.88\.99/&#39;, $ip))
        return &#39;ipv6to4中继&#39;;
    if (preg_match(&#39;/^192\.0\.2\./&#39;, $ip))
        return &#39;TEST-NET-1，文档和示例&#39;;
    if (preg_match(&#39;/^192\.0\.0\./&#39;, $ip))
        return &#39;保留（IANA）&#39;;
    if (preg_match(&#39;/^192\.0\.0\./&#39;, $ip))
        return &#39;保留（IANA）&#39;;
    if ($iplist[0] == 172 && $iplist[1] <= 31 && $iplist[1] >= 16)
        return &#39;专用网络[内部网]&#39;;
    if ($iplist[0] == 169 && $iplist[1] == 254)
        return &#39;链路本地&#39;;
    if ($iplist[0] == 127)
        return &#39;环回地址&#39;;
    if ($iplist[0] == 10)
        return &#39;专用网络[内部网]&#39;;
    if ($iplist[0] == 0)
        return &#39;本网络（仅作为源地址时合法）&#39;;
    return &#39;InterNet网地址&#39;;
}

The common functions to obtain IP on the Internet are as follows:

public function get_real_ip() {
    static $realip;
    if (isset($_SERVER)) {
        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
            $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        } else if (isset($_SERVER['HTTP_CLIENT_IP'])) {
            $realip = $_SERVER['HTTP_CLIENT_IP'];
        } else {
            $realip = $_SERVER['REMOTE_ADDR'];
        }
    } else {
        if (getenv('HTTP_X_FORWARDED_FOR')) {
            $realip = getenv('HTTP_X_FORWARDED_FOR');
        } else if (getenv('HTTP_CLIENT_IP')) {
            $realip = getenv('HTTP_CLIENT_IP');
        } else {
            $realip = getenv('REMOTE_ADDR');
        }
    }
    return $realip;
}

Difference between 'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP'?

1.’REMOTE_ADDR’ is the remote IP, the default is from the tcp connection, the client’s IP. It can be said that it is most accurate and certain that it will only get the client IP directly connected to the server. If the other party accesses the Internet through a proxy server, it will be discovered. What is obtained is the proxy server IP.

For example: a->b(proxy)->c, if c passes 'REMOTE_ADDR', only b's IP can be obtained, but a's IP cannot be obtained.

2. ‘HTTP_X_FORWARDED_FOR’, ‘HTTP_CLIENT_IP’ In order to obtain the original user IP or proxy IP address in a large network. Extend the HTTP protocol. Entity header is defined.

HTTP_X_FORWARDED_FOR = clientip,proxy1,proxy2 All IPs are separated by ",". HTTP_CLIENT_IP In advanced anonymous proxy, this represents the proxy server IP. Since the http protocol extends an entity header, and this value is trusted by the incoming end, it is trusted that the incoming end inputs it according to the rule format. The following uses the example of x_forword_for to illustrate. Under normal circumstances, this value changes process.

Risk points:

These variables come from the http request: x-forword-for field, and client-ip field. A normal proxy server will, of course, pass in these values ​​according to rfc specifications. However, when a user directly constructs the x-forword-for value and sends it to the user, it is like there is a field that can write any value. And the server directly reads, or writes to the database, or displays. It will bring danger, just like the result of operating the data source without any filtering and testing on the input.

For the above getip function:

Except that the client can forge IP at will and can pass in IP in any format. This will cause two major problems. First, if you set up a certain page and impose IP restrictions. The other party can easily change the IP and continuously request the page. Secondly, if you use this kind of data directly, it will bring vulnerabilities such as SQL registration and cross-site attacks. As for the first one, you can set restrictions on the business, and it is best not to use IP restrictions. For the second one, this type can bring huge cyber risks. We must correct it.

This article explains how to obtain the client IP through php. For more related content, please pay attention to the php Chinese website.

Related recommendations:

Detailed explanation of the use of Session in php

The difference between die(), exit(), and return in php Introduction

#The difference between on condition and where condition in SQL

The above is the detailed content of Understand how to get client IP in php. For more information, please follow other related articles on the PHP Chinese website!