Results 1 to 28 of 28
  1. #1

    Lightbulb how to catch the ip of the visitor

    hello,

    anybody have the php script to catch the ip address.

    thanks in advance,

  2. #2
    Join Date
    Aug 2001
    Posts
    5,068
    PHP Code:
    $_SERVER['REMOTE_ADDR'// contains the IP address 
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


  3. #3
    Join Date
    Aug 2002
    Location
    Canada
    Posts
    665
    Not always. Consider:

    Code:
    function getIP(){
    		$ip = FALSE;
    		
    		if( !empty( $_SERVER["HTTP_CLIENT_IP"] ) )
    			$ip = $_SERVER["HTTP_CLIENT_IP"];
    
    		if( !empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ){	
    			// Put the IP's into an array which we shall work with shortly.
    			$ips = explode( ", ", $_SERVER['HTTP_X_FORWARDED_FOR'] );
    			if( $ip ){ 
    				array_unshift( $ips, $ip ); 
    				$ip = false; 
    			}
    	
    			for( $i = 0; $i < count($ips); $i++ ){
    				if (!eregi ("^(10|172\.16|192\.168)\.", $ips[$i])) {
    					$ip = $ips[$i];
    					break;
    				}
    			}
    		}
    		return ($ip ? $ip : $_SERVER['REMOTE_ADDR']);
    	}
    circlical - hosting software development
    forums * blog

  4. #4
    HTTP_X_FORWARDED_FOR and CLIENT_IP can be left blank, since both are extra headers. REMOTE_ADDR *should* be the one containing the users' real IP, but someone can connect trough a proxy and spoof their real IP address.

    The only precise method to get someones' IP (if you're a total freak of course) is via JavaScript but you need to use xmlhttprequest (commonly known as AJAX) in order to pass the value to the server-side language. But then again, someone can just disable JS support in their browser and you're screwed again.
    Dyslexics Have More Fnu

  5. #5
    Join Date
    Aug 2002
    Location
    Canada
    Posts
    665
    HTTP_X_FORWARDED_FOR and CLIENT_IP can be left blank
    If you examine the code above, you'll find that this is understood. However, they can contain an information more accurate than REMOTE_ADDR which can simply reflect an ISP proxy for example. If you try this with AOL clients for example, you'll find that REMOTE_ADDR will shift quite a few times within a session. It is important to filter the information I've shown above.
    circlical - hosting software development
    forums * blog

  6. #6
    Quote Originally Posted by Saeven
    If you examine the code above, you'll find that this is understood. However, they can contain an information more accurate than REMOTE_ADDR which can simply reflect an ISP proxy for example. If you try this with AOL clients for example, you'll find that REMOTE_ADDR will shift quite a few times within a session. It is important to filter the information I've shown above.
    Yes, I examined your code and I saw it was checked for. I just gave additional general info as supplement to your code, which obviously does the job well.
    Dyslexics Have More Fnu

  7. #7
    Join Date
    Aug 2001
    Posts
    5,068
    Quote Originally Posted by Saeven
    If you examine the code above, you'll find that this is understood. However, they can contain an information more accurate than REMOTE_ADDR which can simply reflect an ISP proxy for example. If you try this with AOL clients for example, you'll find that REMOTE_ADDR will shift quite a few times within a session. It is important to filter the information I've shown above.
    REMOTE_ADDR is the only really reliable information about the address where the request came from. It is correct that the mentioned headers are sent by some/many proxy servers (if configured so) and should indicate the address of the real client, but this should be only stored as additional information as it can be easily faked. Also it wont be much of use if its a private IP address.

    A check like the mentioned is certainly a nice-to-have, but it shouldnt be the only one you rely on. REMOTE_ADDR is the only way to determine where the request came from in the end (of course a proxy will falsify the information but this a general problem and in such a case the mentioned method will help as addition).
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


  8. #8
    Join Date
    Aug 2002
    Location
    Canada
    Posts
    665
    But this is precisely my point, it is not reliable at all. You must filter proxies as shown to avoid any issues.
    circlical - hosting software development
    forums * blog

  9. #9
    Join Date
    Aug 2001
    Posts
    5,068
    It is absolutely precise as far as the actual connection is concerned. That there might be one or more proxies which act on behalf of the client is a completely other issue. As I said the method you mentioned is nice-to-have and will also work is many cases of a proxy but should not be the only one as such a value can be too easily faked. Only REMOTE_ADDR gives you the information from where the connection was estabished.

    Ideally its data should be taken into account with the information you mentioned, however it should never be discarded in favor of some HTTP headers.
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


  10. #10
    Join Date
    Nov 2003
    Location
    UK
    Posts
    174
    From my own personal experiance REMOTE_ADDR gives my ISP proxy
    as i often tend to find with my own scripts which use REMOTE_ADDR
    the only way i can find my real IP is via xforwarded
    however this isnt something I have looked into in any great detail
    might just be my ISP which i would imagine is the case, however I am unsure if using xforwarded would work even when REMOTE_ADDR gives the correct IP so you could just use xforwarded for everyone.. this is something i would need to look into

    Hope this helps

  11. #11
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654
    Quote Originally Posted by maxymizer
    but someone can connect trough a proxy and spoof their real IP address.
    For some people it is not an option, their ISP forces them though a proxy.

    The one way you CAN get thier true IP is if you host the site on a SSL/TLS/HTTPS server. $_SERVER['REMOTE_ADDR'] would then have the REAL IP address of the end user.

  12. #12
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    Quote Originally Posted by zoid
    REMOTE_ADDR is the only really reliable information about the address where the request came from. It is correct that the mentioned headers are sent by some/many proxy servers (if configured so) and should indicate the address of the real client, but this should be only stored as additional information as it can be easily faked. Also it wont be much of use if its a private IP address.

    A check like the mentioned is certainly a nice-to-have, but it shouldnt be the only one you rely on. REMOTE_ADDR is the only way to determine where the request came from in the end (of course a proxy will falsify the information but this a general problem and in such a case the mentioned method will help as addition).
    FYI: Sometimes the browsers do not send REMOTE_ADDR, renders it empty, actually many times.

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  13. #13
    Join Date
    Aug 2001
    Posts
    5,068
    Quote Originally Posted by azizny
    FYI: Sometimes the browsers do not send REMOTE_ADDR, renders it empty, actually many times.

    Peace,
    REMOTE_ADDR is never sent by the browser but a value made available by the server which it takes from the connection. Hence it is always available.
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


  14. #14
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    Quote Originally Posted by zoid
    REMOTE_ADDR is never sent by the browser but a value made available by the server which it takes from the connection. Hence it is always available.
    I am not talking about techniqality, but rather my experience in PHP prgramming.

    I always see problem with remote address not working on many servers, and also happened twice to me, once on an IIS and Mac servers.

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  15. #15
    Join Date
    Aug 2001
    Posts
    5,068
    Then I suppose there was some misconfiguration and the server might not have properly passed on the IP address to the script. This would be the only reason why this could happen.

    Nonetheless, REMOTE_ADDR is nothing sent by the browser, but a data structure which (in a properly configured system) is always available and reliably indicates the request's source.
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


  16. #16
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654
    I've seen a lot of screwed up Apache HTTPd installs, but never one that didn't set the ENV with a REMOTE_ADDR.. You can usualy reliy on that to atleast be where the TCP came from.

  17. #17
    Join Date
    Jan 2006
    Posts
    36
    copy and past following code

    ---------------------------------------------------------------------------
    <?php
    $ip = $_SERVER['REMOTE_ADDR'];
    echo $ip;
    ?>

  18. #18
    Join Date
    Mar 2006
    Posts
    965
    Try this:

    PHP Code:
    $ip = (!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ((!empty($_ENV['REMOTE_ADDR'])) ? $_ENV['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));

    if (isset(
    $ip)) {
    echo 
    $ip;

    Chances to fail this one is quite minimal (unless very hardly and badly configured server).

  19. #19
    Out of curiosity, how do you configure your server not to provide $_SERVER['REMOTE_ADDR']?
    Dyslexics Have More Fnu

  20. #20
    Join Date
    Nov 2003
    Posts
    682
    And why would you isset() a variable that is always set?

  21. #21
    Join Date
    Mar 2006
    Posts
    965
    why would you isset() a variable that is always set?
    PHP Code:
    $ip = (!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ((!empty($_ENV['REMOTE_ADDR'])) ? $_ENV['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));

     if (
    $ip) {
    echo 
    $ip;

    Sorry, my mistake.

  22. #22
    horizon, I really don't see why you're posting unnecessary reply. First off, Saeven already posted what's required to obtain IP address.
    You just posted something that makes no sense and is just unnecessary overhead and you're complicating simple things. Since you're assuming that getenv() function will always return the IP, why don't you use

    $ip = getenv('REMOTE_ADDR');

    and you're rid of your entire expression since that's your failsafe in the code anyway. And why are you if()-ing something that's always true? Stop posting such ridiculous bloated code and making yourself look bad. We all know you're highly skilled with ternary operator.
    Dyslexics Have More Fnu

  23. #23
    Join Date
    Nov 2003
    Posts
    682
    I suppose the if could be false if $_SERVER and $_ENV weren't populated and getenv() returned an error (that happens all the time, right?)
    Ok, maybe not.

  24. #24
    Join Date
    Mar 2006
    Posts
    965
    that happens all the time, right?
    Unfortunitely, no. There are some exceptions where servers are being configured differently (consideredly bad or for other specific reasons). Which is why, I posted the verifications above to see which one would respond, since this topic is about most possibilities to catch the visitor's IP.

    Which was also used for this reply:

    Then I suppose there was some misconfiguration and the server might not have properly passed on the IP address to the script. This would be the only reason why this could happen.

    Nonetheless, REMOTE_ADDR is nothing sent by the browser, but a data structure which (in a properly configured system) is always available and reliably indicates the request's source.

  25. #25
    I never saw a server that's configured NOT to populate $_SERVER array or one of its indexes. To do that, it's required to tamper with PHPs' source and compile it. It's nothing that someone does on accident or lack of knowledge - quite the contrary.
    And I never encountered a host that specifically did that, and if a host actually does that - they're fishy and no one should host anything there.

    Also, I'd like to see these hosts that are configured differently. Can you provide any links to them horizon?
    Dyslexics Have More Fnu

  26. #26
    Join Date
    Nov 2003
    Posts
    682
    Yeah, it must be all those hosts running PHP 4.0.6 that don't have $_SERVER available.

  27. #27
    Join Date
    Mar 2006
    Posts
    965
    Yeah, it must be all those hosts running PHP 4.0.6 that don't have $_SERVER available.
    And more but correct.

  28. #28
    Join Date
    Aug 2001
    Posts
    5,068
    Not to blow my own trumpet, but I have to say I find it rather interesting that a thread about a simple question turned so far into a 26 replies, 2 pages long debate, when it was already answered by the first reply.

    The mentioned HTTP headers are nice-to-haves but should never be taken as only source as only REMOTE_ADDR provides reliable information. If one really has to worry about PHP specifics, it should be checked in the following order.
    PHP Code:
    $REMOTE_ADDR
    $HTTP_SERVER_VARS
    ['REMOTE_ADDR']
    $_SERVER['REMOTE_ADDR'
    Sitemeer.com - Is your site up?
    Multi-Location Service Availability Check ● yes, we do HTTPS & IDN!


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •