获取用户Ip地址通用方法与常见安全隐患(HTTP_X_FORWARDED_FOR)_PHP
这个来自一些项目中,获取用户Ip,进行用户操作行为的记录,是常见并且经常使用的。 一般朋友,都会看到如下通用获取IP地址方法。
复制代码 代码如下:
function getIP() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$realip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$realip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$realip = $_SERVER['REMOTE_ADDR'];
}
return $realip;
}
这个是网上常见获取,ip函数,用这些值获取IP,我们首先要弄清楚,这些数据是从那个地方传过来的。
IP获取来源
1.'REMOTE_ADDR' 是远端IP,默认来自tcp 连接是,客户端的Ip。可以说,它最准确,确定是,只会得到直接连服务器客户端IP。如果对方通过代理服务器上网,就发现。获取到的是代理服务器IP了。
如:a->b(proxy)->c ,如果c 通过'REMOTE_ADDR' ,只能获取到b的IP,获取不到a的IP了。
另外:该IP想篡改将很难实现,在传递知道生成php server值,都是直接生成的。
2.'HTTP_X_FORWARDED_FOR','HTTP_CLIENT_IP' 为了能在大型网络中,获取到最原始用户IP,或者代理IP地址。对HTTp协议进行扩展。定义了实体头。
HTTP_X_FORWARDED_FOR = clientip,proxy1,proxy2 所有IP用”,”分割。 HTTP_CLIENT_IP 在高级匿名代理中,这个代表了代理服务器IP。既然是http协议扩展一个实体头,并且这个值对于传入端是信任的,信任传入方按照规则格式输入的。以下以x_forword_for例子加以说明,正常情况下,这个值变化过程。

分析Bug风险点:
通过刚刚分析我们发现,其实这些变量,来自http请求的:x-forword-for字段,以及client-ip字段。 正常代理服务器,当然会按rfc规范来传入这些值。但是,当一个用户直接构造该x-forword-for值,发送给用户用户,那将会怎么样呢?
图(1)
第2步,修改x-forword-fox值,我们看看结果
第三步,我们再修改下看看会怎么样?
哈哈,看到上面结果没,x-forwarded-for不光可以自己设置值,而且可以设置任意格式值。 这样一来,好比就直接有一个可以写入任意值的字段。并且服务器直接读取,或者写入数据库,或者做显示。它将带来危险性,跟一般对入输入没有做任何过滤检测,之间操作数据源结果一样。 并且容易带来隐蔽性。
结论:上面getip函数,除了客户端可以任意伪造IP,并且可以传入任意格式IP。 这样结果会带来2大问题,其一,如果你设置某个页面,做IP限制。 对方可以容易修改IP不断请求该页面。 其二,这类数据你如果直接使用,将带来SQL注册,跨站攻击等漏洞。至于其一,可以在业务上面做限制,最好不采用IP限制。 对于其二,这类可以带来巨大网络风险。我们必须加以纠正。
需要对getip 进行修改,得到安全的getip函数。
这类问题,其实很容易出现,以前我就利用这个骗取了大量伪装投票。有它的隐蔽性,其实只要我们搞清楚了,某些值来龙去脉的话。理解了它的原理,修复该类bug将是非常容易。
题外话,做技术,有三步,先要会做,会解决;后要思考为什么要这么做,原因原理是什么;最后是怎么样做,有没有其它方法。多问问自己,你发现距离技术真理越来越近。你做事会越来越得心应手的!
作者:chengmo QQ:8292669

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

Xiaohongshu is a popular social e-commerce platform where users can share their daily life and discover their favorite products. Some users are more sensitive to personal privacy and hope that their IP address will not be displayed on Xiaohongshu to protect their online privacy. So, how to set Xiaohongshu not to display the IP address? This article will answer this question in detail. 1. How to set Xiaohongshu not to display the IP address? 1. Modify Xiaohongshu settings: Open Xiaohongshu APP, click "Me" in the lower right corner to enter the personal center. Then click on the avatar to enter account settings. In the account settings, find "Privacy Settings" and click to enter. Here, you can find the setting options for IP address, just turn it off. 2. Clear cache: Sometimes, Xiaohongshu may display an error

How to view all IP addresses on the LAN using cmd: 1. Press the "Win+R" shortcut key to open the "Run" window; 2. After entering "CMD" in the "Run" window, press the Enter key; 3. In the open "Command" In the "Prompt" interface, enter the command "arp -a" and press the Enter key; 4. From the returned results, you can see the IP addresses of all computers in the local LAN that communicate with the machine.

Sometimes everyone encounters the need to manually modify the IP address, but some Windows 10 customers report that the IP address cannot be saved after setting it. How to solve this situation? The IP address is stored basically because there is an error in filling in your IP address. You can check whether the subnet prefix has been written with the subnet mask. If so, change it back. After the change, you can save it normally. IP address. How to solve the problem that the Windows 10 IP address cannot be saved after it is set: The error picture is as follows: The prompt "Unable to save the IP setting, please check one or more settings and try" caused by filling in the error. This is the subnet prefix length, not the subnet mask. as the picture shows. As shown in the picture above, many users actually write out the subnet prefix as the subnet mask.

Where is the IP address of Xiaomi mobile phone? You can check the IP address on Xiaomi mobile phone, but most users don’t know where to check the IP address. Next is the graphic tutorial on how to check the IP address of Xiaomi mobile phone brought by the editor. Interested users come and take a look! Where is the IP address of Xiaomi mobile phone? 1. First open the settings function in Xiaomi mobile phone, select [My Device] and click to enter; 2. Then on the My Device function page, click [All Parameters] service; 3. Then on the All Parameters page , slide to the bottom and select [Status Information]; 4. Finally, you can see the IP address in the status information interface.

Xianyu is a very practical second-hand trading platform. Here we can buy many different products and sell our own idle items. What if we want to modify our address? Let’s take a look with the editor below! Share how to modify the Xianyu IP address. First, open the Xianyu software. After entering the homepage, you can see seafood market, recommendations, address and other options in the upper left corner. Click "Address". 2. Then on the address page, we click the [Down Arrow] next to the address; 3. After the final click, we click on the city on the city selection page;

Users share their lives, show off their talents, and interact with netizens across the country and even the world through Douyin. Some users wish to change their IP addresses on Douyin due to reasons such as privacy protection or geographical restrictions. So, how does the Douyin IP address change its location? 1. How to change the location of Douyin IP address? A proxy server is an intermediary service used to forward user requests to the Internet and return responses. By configuring a proxy server, users can hide their real IP addresses and change their IP addresses. This approach helps protect user privacy and improves network security. Proxy servers can also be used to access restricted content or bypass geolocation restrictions. Overall, using a proxy server is a practical network tool that can help users browse the Internet more safely and freely.

Each host has a unique address identifier called an "IP address." The IP address is a unified address format provided by the IP protocol. It assigns a unique logical address to each network and each host on the Internet to shield the differences in physical addresses. Because of this unique address, it is ensured that users can efficiently and conveniently select the objects they need from thousands of computers when operating on connected computers.

With the rapid development of the Internet, IP addresses have become an indispensable part of network communications. IP address information is very important in network security monitoring, traffic management, and targeted e-commerce advertising. Therefore, in order to facilitate users to query IP address/domain name information, many websites provide IP address query functions. This article will introduce how to use PHP to implement the IP address query function for readers' reference. 1. What is an IP address? IP address (InternetProtocolAddress) is the network protocol
