PHP most accurate / safe way to get real user IP address in 2017

后端 未结 10 480
粉色の甜心
粉色の甜心 2021-01-01 15:51

What is the most accurate way to get user\'s IP address in 2017 via PHP?

I\'ve read a lot of SO questions and answers about it, but most of answers are old and comme

相关标签:
10条回答
  • 2021-01-01 16:14

    Short answer:

    $ip = $_SERVER['REMOTE_ADDR'];


    As of 2019 $_SERVER['REMOTE_ADDR']; is the only reliable way to get users ip address, but it can show erroneous results if behind a proxy server.
    All other solutions imply security risks or can be easily faked.

    0 讨论(0)
  • 2021-01-01 16:14

    As the real method is to check user IP is $ip = $_SERVER['REMOTE_ADDR'];

    If the user is using VPN or any proxy then it will not detect the original IP.

    0 讨论(0)
  • 2021-01-01 16:18

    Get Client IP Address:

    <?php
     echo   $ip = $_SERVER['REMOTE_ADDR'];
    ?>
    

    Note:: This would work only on live site, because on your local host your ip would be one (1) of the internal ip addresses, like 127.0.0.1 So, its Return ::1

    Example : https://www.virendrachandak.com/demos/getting-real-client-ip-address-in-php.php

    Its Show Your Local Ip: Like ... 78.57.xxx.xxx

    Example:

    <?php
    $myIp= getHostByName(php_uname('n'));
     echo $myIp;
    ?>
    
    0 讨论(0)
  • 2021-01-01 16:19

    You have to collaborate with your sysops team (or if you're wearing that hat too, you will need to do some research). The header check is used when your network infrastructure is configured in certain ways where the remote requester is one of your network appliances instead of the end user.

    This sort of thing happens when your web server(s) sit behind a load balancer or firewall or other appliance that needs to interrogate the payload to properly handle it. An example is when a load balancer terminated ssl and forwards the request on to the web server without ssl. When this occurs the remote address becomes the load balancer. It also happens with firewall appliances that do the same thing.

    Most instances the device will offer configuration to set a header value in the request with the original remote ip address. The header is usually what you'd expect but it can in some cases be different or even configurable.

    What's more, depending on your web server configuration (apache, nginx or other) may not support or be currently configured to support certain custom headers such as the common ip header.

    The point is us you will need to investigate your network configuration to ensure that the original requester's ip makes it all the way through to your application code and in what form.

    0 讨论(0)
  • 2021-01-01 16:21

    First, it is impossible to reliably determine someone's source IP address if they are intent on being hidden. Even something which today seems foolproof, will soon have a loophole (if it doesn't already). As such, any answer below should be considered UNTRUSTED, which means that if you put all of your eggs in this basket, be prepared for someone to take advantage of it or circumvent it somehow.

    I won't get in to all the ways someone can circumvent IP tracking, because it is constantly evolving. What I will say is that it can be a useful tool for logging as long as you know that IP addresses can easily change or otherwise be masked.

    Now, one big point to make is that there is a difference between a public IP address and a private IP address. In IPV4, routers are generally assigned one public IP address, which is all that a server-side language can actually grab, because it doesn't see your client-side IP address. To a server, your computer doesn't exist as a web-space. Instead, your router is all that matters. In turn, your router is the only thing that cares about your computer, and it assigns a private IP address (to which your 172...* address belongs) to make this work. This is good for you, because you can't directly access a computer behind a router.

    If you want to access a private IP address, you need to use JavaScript (client-side language). You can then store the data asynchronously via AJAX. As far as I know, this is only currently possible using WebRTC-enabled Chrome and Firefox. See here for a demo.

    I tested this and it returns private IP addresses. Typically I think this is used by advertisers to help track individual users in a network, in conjunction with the public IP address. I am certain that it will quickly become useless as people come up with workarounds or as public outcry forces them to offer the ability to disable the WebRTC API. However, for the time being it works for anyone who has JavaScript enabled on Chrome and Firefox.

    More Reading:

    • What is a Private Network?
    • STUN IP Address requests for WebRTC
    • Quick Link: IP address checker
    0 讨论(0)
  • 2021-01-01 16:22

    If you'd like to use a pre-built library, you can use Whip.

    Using pre-made libraries are usually better because most of them will have been checked thoroughly by an active community. Some of them, especially the ones that have been around for a long time, have more features built-in.

    But if you want to code it yourself to learn the concept, then it's ok I guess. I recommend packaging it as a stand alone library and releasing it as open-source :)

    EDIT: I do not recommend using the remote IP in security mechanisms as they are not always reliable.

    0 讨论(0)
提交回复
热议问题