function get_real_ip()
{
$ip = false;
if(!empty($_SERVER['HTTP_CLIENT_IP']))
{
$ip = $_SERVER['HTTP_CLIENT_IP'];
}
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ips = explode(", ", $_SERVER['HTTP_X_FORWARDED_FOR']);
if($ip)
{
array_unshift($ips, $ip);
$ip = false;
}
for($i = 0; $i < count($ips); $i++)
{
if(!preg_match("/^(10|172\.16|192\.168)\./i", $ips[$i]))
{
if(version_compare(phpversion(), "5.0.0", ">="))
{
if(ip2long($ips[$i]) != false)
{
$ip = $ips[$i];
break;
}
}
else
{
if(ip2long($ips[$i]) != - 1)
{
$ip = $ips[$i];
break;
}
}
}
}
}
return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
}

...Yes...I agree...

What?

Well as I can see it's a piece of code that attempts to get the true origin IP address if someone has gone through a proxy server - although IMO it would've been a good idea to at least add a little bit to the beginning to say that rather than just posting a random piece of code. It does look like a good piece of code though :)

Hello all.

I remember when I glanced at this post and thought it was like several years ago.

Let me blunt!

NEVER use HTTP_X_FORWARDED_FOR to check for the IP because it can easily be spoofed. phpBB used to use this and changed it to REMOTE_ADDR in 2004 because of the potential flaw that may allow a remote attacker to circumvent administrative user management.

Now, I don't know about any security issues with HTTP_CLIENT_IP, but maybe someone can search on that.

Stick with $_SERVER['REMOTE_ADDR'].

$_SERVER['HTTP_X_FORWARDED_FOR'] is an illusional solution.

The CLIENT_IP lots of these proxy scripts actually use the exact same function above.

All you have to do is send a spoofed CLIENT_IP of 127.0.0.1 and they will list your IP as that.

-Scott

Thanks For The Code .

Cool, thank you.

or you could just use whatismyip.com (http://www.whatismyip.com)

Does it get real IP by-passing proxy?

yea, it gets your real IP. I tested it on my home router, and I've tested it on numerous other networks. Works for me.

Thanks for sharing
, i tested it and works for me

Althought it may display a gateway or proxy server the only real type that cannot be forged is REMOTE_ADDR. The other 2 variables are passed in the header information (which is easily forged) and are normally passed by a proxy server, but who says they have to be.

I think this routine should help:

http://ca3.php.net/manual/en/function.ip2long.php#70707

It fails on socks, fails on AOL, compuserve, ghostusurf and whatever real solution when it comes to ip masking so what's the use to get "the real ip". There's no such thing. I would change it to "potential"

Just paste this image onto your site and have the results logged locally....

http://www.whatismyip.com.br/tools/myip01.png


Use one of the images below to link to us. They will be instantly generated with your visitor's IP address.From http://ww2.whatismyip.com.br:8080/tools/?lang=en

Sure looks like an interesting idea but does use a little bit more traffic to capture IP addresses remotely. ;)

Yes maybe a little bit,not much i reckon...

You could also put the code on your own site so it doesnt have to goto THAT SITE to fetch it...

[edited] - I thought the page was completely loaded.


You could also put the code on your own site


If it does not connect remotely, it does look quite useful. :)

AFAIK, the only way to detect the REAL ip is to use a Java application and enumerate the network interfaces.

Yes but that also uses resources to load the applet i believe......

Really whenever someone visits your site,they are logged in the connection file anyway,so......

Yes but that also uses resources to load the applet i believe......


The ressources is used when downloading the applet and, the most; to decode it for each logged in users.

Dude can I use this script? Its sexy!

Althought it may display a gateway or proxy server the only real type that cannot be forged is REMOTE_ADDR. The other 2 variables are passed in the header information (which is easily forged) and are normally passed by a proxy server, but who says they have to be.

Yup, you basically nailed it right there.

thanks alot >>>>>>>>>

nice good job thanks

nice script... its gets the real ip even from behind the proxy..

Urm....huh?
Did I miss something?

A 2 year old thread showing how to do something in 40 lines that could be done with the exact same result in a few lines.

REMOTE_ADDR gets the IP address from which the user is viewing the current page. If they are viewing the page from an anonymous proxy server then the IP will be that anonymous proxy server.
As will be any FORWARDED address, backlinked address, multi tunneled address, slight of hand under the table address or any other kind.
The proxy gets the data from website and displays it on the proxy server. It sends its own data and nothing of yours if it is a true anonymous server, and therefore the site with this script on gets nothing about the user, just the proxy server.

If you send your IP to an anonymous proxy, and they DON'T forward your IP onto the site/page you are viewing, how is it ever going to be possible for a script on that site/page to trace back and get your IP?

It would have to request from the proxy server what the incoming IP is.
Seriously, IP addresses are in no way a reliable identification of a user surfing the web.
Two people could be using the same site with the same IP, or you could be using an IP your next door neighbour had yesterday.

They are simply for devices to identify who's who in a network.

I don't see why there is a huge issue always with people desperately scrabbling to get people's IP addresses. They mean nothing.

If you wanted, you could be untraceable to even the FBI, KGB and etc within a few hops

Thanks, this'll be very useful in a script I'm writing.

Urm....huh?
Did I miss something?

A 2 year old thread showing how to do something in 40 lines that could be done with the exact same result in a few lines.



yes I think this code will give the same result

<?php echo $_SERVER['REMOTE_ADDR'];?>