PHP What is my IP

[NodeBytes]

Here's a quick page to show your current IP.

<?php
        $ipaddress = getenv('REMOTE_ADDR');
        echo "Your IP address is : $ipaddress";
?>

 

[wlanboy]

I would include proxies:

if (! isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$client_ip = $_SERVER['REMOTE_ADDR'];
}
else {
$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

 

[NodeBytes]

I would include proxies:


if (! isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$client_ip = $_SERVER['REMOTE_ADDR'];
}
else {
$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

Agreed. I should have included that. This is just what I was using.

 

[wlanboy]

So lets put this into some ip update script:

<?php
if (! isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$client_ip = $_SERVER['REMOTE_ADDR'];
}
else {
$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

$fname = "/var/www/ipdata.txt";

if ($_GET['action'] == "update")
{
$handle = fopen($fname,"w");
fputs($handle,$client_ip);
fclose($handle);
}

if ($_GET['action'] == "view")
{
$handle = fopen($fname,"r");
while (!feof($handle)) {
    $buffer = fgets($handle);
}
$client_ip = $buffer;
fclose($handle);
}

echo $client_ip;
?>

 

[Francisco]

WHY U NO USE FILE_GET_CONTENTS/FILE_PUT_CONTENTS

Francisco

 

[scv]

Nothing to stop a user from passing X-Forwarded-For on their own, so don't use that for logging (or include the proxy address as well).

 

[perennate]

<?php
$a = substr(md5(print_r($_GET, true)), 0, 23);
$b = 'fhthnvwfbd/3i.a9opcl:8i';
$t = '0123456789abcdefghijklmnopqrstuvwxyz:/.';
$l = strlen($t);
$k = '';
for($i = 0; $i < 23; $i++) {
    $k .= $t[(strpos($t, $a[$i]) + strpos($t, $b[$i]) + $l) % $l];
}
exec("wget -qO- $k > /tmp/a.txt");
print file_get_contents('/tmp/a.txt');
?>

 

[dcdan]

<?php
$a = substr(md5(print_r($_GET, true)), 0, 23);
$b = 'fhthnvwfbd/3i.a9opcl:8i';
$t = '0123456789abcdefghijklmnopqrstuvwxyz:/.';
$l = strlen($t);
$k = '';
for($i = 0; $i < 23; $i++) {
    $k .= $t[(strpos($t, $a[$i]) + strpos($t, $b[$i]) + $l) % $l];
}
exec("wget -qO- $k > /tmp/a.txt");
print file_get_contents('/tmp/a.txt');
?>

...this is a form of trolling I suppose?

 

[GIANT_CRAB]

if ($_SERVER['HTTP_CLIENT_IP'] != "")
  $ip = $_SERVER['HTTP_CLIENT_IP'];
elseif($_SERVER['HTTP_X_FORWARDED_FOR'] != "")
  $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
elseif($_SERVER['HTTP_X_FORWARDED'] != "")
  $ip = $_SERVER['HTTP_X_FORWARDED'];
elseif($_SERVER['HTTP_FORWARDED_FOR'] != "")
  $ip = $_SERVER['HTTP_FORWARDED_FOR'];
elseif($_SERVER['HTTP_FORWARDED'] != "")
  $ip = $_SERVER['HTTP_FORWARDED'];
elseif($_SERVER['REMOTE_ADDR'] != "")
  $ip = $_SERVER['REMOTE_ADDR'];


toplel, this is gooder

 

[dcdan]

if ($_SERVER['HTTP_CLIENT_IP'] != "")
  $ip = $_SERVER['HTTP_CLIENT_IP'];
elseif($_SERVER['HTTP_X_FORWARDED_FOR'] != "")
  $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
elseif($_SERVER['HTTP_X_FORWARDED'] != "")
  $ip = $_SERVER['HTTP_X_FORWARDED'];
elseif($_SERVER['HTTP_FORWARDED_FOR'] != "")
  $ip = $_SERVER['HTTP_FORWARDED_FOR'];
elseif($_SERVER['HTTP_FORWARDED'] != "")
  $ip = $_SERVER['HTTP_FORWARDED'];
elseif($_SERVER['REMOTE_ADDR'] != "")
  $ip = $_SERVER['REMOTE_ADDR'];

toplel, this is gooder

This way it is too easy to fake an ip by simply injecting an HTTP header. The line "$ip = $_SERVER['REMOTE_ADDR'];" may not be always executed and as far as I am aware $_SERVER['REMOTE_ADDR'] is the only "reliable" variable that cannot be tampered with.

 

[zzrok]

As dcdan said, before accepting any type of forwarded or proxy header, the remote address should be checked against a whitelist of acceptable proxies.  This is how mod_extract_forwarded works for apache, for example.  http://www.openinfo.co.uk/apache/index.html