Getting visitor IP address with PHP

Monday, 13 August 2007

Here's a function to detect remote IP address from a PHP script, even if the client/visitor is behind a proxy

function validip($ip) {
 
if (!empty($ip) && ip2long($ip)!=-1) {
 
$reserved_ips = array (
 
array('0.0.0.0','2.255.255.255'),
 
array('10.0.0.0','10.255.255.255'),
 
array('127.0.0.0','127.255.255.255'),
 
array('169.254.0.0','169.254.255.255'),
 
array('172.16.0.0','172.31.255.255'),
 
array('192.0.2.0','192.0.2.255'),
 
array('192.168.0.0','192.168.255.255'),
 
array('255.255.255.0','255.255.255.255')
 
);
 
 
foreach ($reserved_ips as $r) {
 
$min = ip2long($r[0]);
 
$max = ip2long($r[1]);
 
if ((ip2long($ip) >= $min) && (ip2long($ip) <= $max)) return false;
 
}
 
return true;
 
} else {
 
return false;
 
}
 }
 
 function getip() {
 
if (validip($_SERVER["HTTP_CLIENT_IP"])) {
 
return $_SERVER["HTTP_CLIENT_IP"];
 
}
 
foreach (explode(",",$_SERVER["HTTP_X_FORWARDED_FOR"]) as $ip) {
 
if (validip(trim($ip))) {
 
return $ip;
 
}
 
}
 
if (validip($_SERVER["HTTP_X_FORWARDED"])) {
 
return $_SERVER["HTTP_X_FORWARDED"];
 
} elseif (validip($_SERVER["HTTP_FORWARDED_FOR"])) {
 
return $_SERVER["HTTP_FORWARDED_FOR"];
 
} elseif (validip($_SERVER["HTTP_FORWARDED"])) {
 
return $_SERVER["HTTP_FORWARDED"];
 
} elseif (validip($_SERVER["HTTP_X_FORWARDED"])) {
 
return $_SERVER["HTTP_X_FORWARDED"];
 
} else {
 
return $_SERVER["REMOTE_ADDR"];
 
}
 }
 ?>

Credits go to http://algorytmy.pl/doc/php/function.getenv.php

Are you a Joomla/PHP/Web developer? You may want to check our freelance marketplaces list.

Give us some social love (it really works now)!

Comments (5)

1. IP ranges changed...05-01-2012 10:53

Sven

just a hint, the first part of the array for reserved IPs is wrong by this time, ip ranges 1.0.0.0/8 (APNIC) and 2/8 (RIPE) has been assigned and they are already in public use.

you should update the first row to:
"array('0.0.0.0','0.255.255.255'),"
to have 1/8 and 2/8 not in the reserved list.

2. Any solid proof soultion?23-07-2010 21:20

James http://www.gmmzone.com

@Trevor Gryffyn yup its true that values that comes from $_SERVER is not reliable as they can be spoofed but my question is there any solid proof and reliable way for this in php?

3. Query For An IP In A Database02-08-2009 06:47

Joshua K Roberson http://strictcoder.blogspot.com/

Here are different ways to store an IP or an IP range as well as query for the IPs.
http://strictcoder.blogspot.com/2009/08/different-ways-to-query-for-ip-in-your.html

4. Query For An IP In A Database07-06-2008 23:29

Ignas

"Written by Trevor GryffynThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , on 07-12-2007 17:32
Just a quick aside.. in the PHP world, it's generally accepted that you shouldn't trust or rely upon data obtained from $_SERVER variables or many environment variables. That's not to say that they're always wrong, but they can be spoofed and other things can get in the way of them being accurate (the IP address you retrieve may be for a proxy server, a shared external IP for a large internal network, etc). So it's a passable basic start, but don't use it for any real security purposes."
So if whys script not very can you proved better?

5. Query For An IP In A Database07-12-2007 19:32

Trevor Gryffyn

Just a quick aside.. in the PHP world, it's generally accepted that you shouldn't trust or rely upon data obtained from $_SERVER variables or many environment variables. That's not to say that they're always wrong, but they can be spoofed and other things can get in the way of them being accurate (the IP address you retrieve may be for a proxy server, a shared external IP for a large internal network, etc). So it's a passable basic start, but don't use it for any real security purposes.

Write Comment