Last Updated: February 25, 2016
·
5.737K
· maikeldaloo

Retrieve user IP address

Handy method for retrieving a user's IP address. Even when they're hiding behind a proxy server.

/**
 * Get a user's IP address. Even if they're behind a proxy.
 *
 * @return string
 */
function get_ip_address() {
    $server_vars = array(
        'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 
        'REMOTE_ADDR',
    );
    foreach ( $server_vars as $key ) {
        if ( array_key_exists($key, $_SERVER) !== true ) continue;
        foreach ( explode(',', $_SERVER[$key]) as $ip ) {
            if ( filter_var($ip, FILTER_VALIDATE_IP) !== false ) {
                return $ip;
            }
        }
    }
}

Source: http://www.kavoir.com/2010/03/php-how-to-detect-get-the-real-client-ip-address-of-website-visitors.html

4 Responses
Add your response

The problem with that function is that enables the user to fake his IP without passing by a proxy and adding a HTTPXFORWARDED_FOR header for example.

Use this with caution and only if your website is behind a reverse proxy like vernish ... and if not don't trust only headers :)

over 1 year ago ·

Thanks for the feedback.

I've done a bit of research to find a solid way of retrieving a user's IP, but it seems to be a whole lot more complicated than it should be.

Would you have a source that I could look into?
I'm just looking for a simple/solid way to get a user's IP.

Most of the frameworks give a way to get the IP, but this is just a standalone thing that could come in handy one day :)

over 1 year ago ·

Hi,

Unfortunately there is no way to trust headers from a proxy - but there is some work around :

  • save all ips (even if it's faked)
    If you do a blacklist based on IP, do the check it from all ips - if the userfake the headers, the REMOTE_ADDR is always not faked (it comes from the socket connection)

  • try to detect if the headers are faked
    If you realy want to know if the IP is faked, try to connect to common proxy ports (80, 8080, 1024 ...etc...) but this will be costly on a common page, you could only do that over a connection form for example, with a very low connection TTL (like 100ms) - but this also could be faked if the user open a listen socket on a proxy port (keep in mind that is just for warning/logging a bad result - if the result is OK you're not sure anyway)

  • have a list of trusted proxy IPs :
    Check the current REMOTE_ADDR over a list of trusted IP (like a list of reverse-proxy from your own network. This does not work over the web

And don't forged the anonymized proxys - they don't send you headers with the user IP - there is no way to know who is behind. The workaround here is to just scan ports, find out that is a proxy, and disable his access from its remote_addr.

For sure, the problem can't be solved in a function ^^, but my advice is that you want to secure an access (back-office) trust only REMOTE_ADDR, if you want to ban someone, yes you could use this function, it will just work great.

over 1 year ago ·

Wow.. Your comment is very helpful for anyone who's trying to implement a feature based on user IP.

Thanks for the response and explanation :)

over 1 year ago ·