What is the most accurate way to retrieve a user s correct IP address in PHP

Question

I know there are a plethora of   SERVER variables headers available for IP address retrieval  I was wondering if there is a general consensus as to how to most accurately retrieve a user s real IP address  well knowing no method is perfect  using said variables   I spent some time trying to find an in depth solution and came up with the following code based on a number of sources  I would love it if somebody could please poke holes in the answer or shed some light on something perhaps more accurate   edit includes optimizations from  Alix           Retrieves the best guess of the client s actual IP address      Takes into account numerous HTTP proxy headers due to variations     in how different ISPs handle IP addresses in headers between hops        public function get ip address          Check for shared internet ISP IP   if   empty   SERVER  HTTP CLIENT IP     amp  amp   this- gt validate ip   SERVER  HTTP CLIENT IP        return   SERVER  HTTP CLIENT IP          Check for IPs passing through proxies   if   empty   SERVER  HTTP X FORWARDED FOR             Check if multiple IP addresses exist in var      iplist   explode        SERVER  HTTP X FORWARDED FOR         foreach   iplist as  ip         if   this- gt validate ip  ip         return  ip                   if   empty   SERVER  HTTP X FORWARDED     amp  amp   this- gt validate ip   SERVER  HTTP X FORWARDED        return   SERVER  HTTP X FORWARDED      if   empty   SERVER  HTTP X CLUSTER CLIENT IP     amp  amp   this- gt validate ip   SERVER  HTTP X CLUSTER CLIENT IP        return   SERVER  HTTP X CLUSTER CLIENT IP      if   empty   SERVER  HTTP FORWARDED FOR     amp  amp   this- gt validate ip   SERVER  HTTP FORWARDED FOR        return   SERVER  HTTP FORWARDED FOR      if   empty   SERVER  HTTP FORWARDED     amp  amp   this- gt validate ip   SERVER  HTTP FORWARDED        return   SERVER  HTTP FORWARDED          Return unreliable IP address since all else failed   return   SERVER  REMOTE ADDR                 Ensures an IP address is both a valid IP address and does not fall within     a private network range           access public      param string  ip       public function validate ip  ip         if  filter var  ip  FILTER VALIDATE IP                            FILTER FLAG IPV4                             FILTER FLAG IPV6                            FILTER FLAG NO PRIV RANGE                             FILTER FLAG NO RES RANGE      false           return false       self   ip    ip       return true       Words of Warning  update   REMOTE ADDR still represents the most reliable source of an IP address  The other   SERVER variables mentioned here can be spoofed by a remote client very easily  The purpose of this solution is to attempt to determine the IP address of a client sitting behind a proxy  For your general purposes  you might consider using this in combination with the IP address returned directly from   SERVER  REMOTE ADDR   and storing both   For 99 9  of users this solution will suit your needs perfectly  It will not protect you from the 0 1  of malicious users looking to abuse your system by injecting their own request headers  If relying on IP addresses for something mission critical  resort to REMOTE ADDR and don t bother catering to those behind a proxy

User · Answer

I came up with this function that does not simply return the IP address but an array with IP information.

// Example usage:
$info = ip_info();
if ( $info->proxy ) {
    echo 'Your IP is ' . $info->ip;
} else {
    echo 'Your IP is ' . $info->ip . ' and your proxy is ' . $info->proxy_ip;
}

Here's the function:

/**
 * Retrieves the best guess of the client's actual IP address.
 * Takes into account numerous HTTP proxy headers due to variations
 * in how different ISPs handle IP addresses in headers between hops.
 *
 * @since 1.1.3
 *
 * @return object {
 *         IP Address details
 *
 *         string $ip The users IP address (might be spoofed, if $proxy is true)
 *         bool $proxy True, if a proxy was detected
 *         string $proxy_id The proxy-server IP address
 * }
 */
function ip_info() {
    $result = (object) array(
        'ip' => $_SERVER['REMOTE_ADDR'],
        'proxy' => false,
        'proxy_ip' => '',
    );

    /*
     * This code tries to bypass a proxy and get the actual IP address of
     * the visitor behind the proxy.
     * Warning: These values might be spoofed!
     */
    $ip_fields = array(
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'REMOTE_ADDR',
    );
    foreach ( $ip_fields as $key ) {
        if ( array_key_exists( $key, $_SERVER ) === true ) {
            foreach ( explode( ',', $_SERVER[$key] ) as $ip ) {
                $ip = trim( $ip );

                if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) !== false ) {
                    $forwarded = $ip;
                    break 2;
                }
            }
        }
    }

    // If we found a different IP address then REMOTE_ADDR then it's a proxy!
    if ( $forwarded != $result->ip ) {
        $result->proxy = true;
        $result->proxy_ip = $result->ip;
        $result->ip = $forwarded;
    }

    return $result;
}

User · Answer

We use          Get the customer s IP address         return string     public function getIpAddress         if   empty   SERVER  HTTP CLIENT IP               return   SERVER  HTTP CLIENT IP          else if   empty   SERVER  HTTP X FORWARDED FOR                ips   explode        SERVER  HTTP X FORWARDED FOR             return trim  ips count  ips  - 1          else           return   SERVER  REMOTE ADDR              The explode on HTTP X FORWARDED FOR is because of weird issues we had detecting IP addresses when Squid was used

User · Answer

I do wonder if perhaps you should iterate over the exploded HTTP X FORWARDED FOR in reverse order  since my experience has been that the user s IP address ends up at the end of the comma-separated list  so starting at the start of the header  you re more likely to get the ip address of one of the proxies returned  which could potentially still allow session hijacking as many users may come through that proxy

User · Answer

I m surprised no one has mentioned filter input  so here is Alix Axel s answer condensed to one-line   function get ip address  amp  keys     HTTP X FORWARDED FOR    HTTP X FORWARDED    HTTP X CLUSTER CLIENT IP    HTTP FORWARDED FOR    HTTP FORWARDED    HTTP CLIENT IP    REMOTE ADDR          return empty  keys       ip   filter input INPUT SERVER  array pop  keys   FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE   FILTER FLAG NO RES RANGE     ip   get ip address  keys

User · Answer

From Symfony s Request class https   github com symfony symfony blob 1bd125ec4a01220878b3dbc3ec3156b073996af9 src Symfony Component HttpFoundation Request php  const HEADER FORWARDED    forwarded   const HEADER CLIENT IP    client ip   const HEADER CLIENT HOST    client host   const HEADER CLIENT PROTO    client proto   const HEADER CLIENT PORT    client port           Names for headers that can be trusted when    using trusted proxies        The FORWARDED header is the standard as of rfc7239        The other headers are non-standard  but widely used    by popular reverse proxies  like Apache mod proxy or Amazon EC2       protected static  trustedHeaders   array      self  HEADER FORWARDED   gt   FORWARDED       self  HEADER CLIENT IP   gt   X FORWARDED FOR       self  HEADER CLIENT HOST   gt   X FORWARDED HOST       self  HEADER CLIENT PROTO   gt   X FORWARDED PROTO       self  HEADER CLIENT PORT   gt   X FORWARDED PORT              Returns the client IP addresses        In the returned array the most trusted IP address is first  and the    least trusted one last  The  real  client IP address is the last one     but this is also the least trusted one  Trusted proxies are stripped        Use this method carefully  you should use getClientIp   instead         return array The client IP addresses        see getClientIp       public function getClientIps          clientIps   array         ip    this- gt server- gt get  REMOTE ADDR        if    this- gt isFromTrustedProxy              return array  ip             if  self   trustedHeaders self  HEADER FORWARDED   amp  amp   this- gt headers- gt has self   trustedHeaders self  HEADER FORWARDED               forwardedHeader    this- gt headers- gt get self   trustedHeaders self  HEADER FORWARDED            preg match all    for           a-z0-9     -         forwardedHeader   matches            clientIps    matches 3         elseif  self   trustedHeaders self  HEADER CLIENT IP   amp  amp   this- gt headers- gt has self   trustedHeaders self  HEADER CLIENT IP               clientIps   array map  trim   explode       this- gt headers- gt get self   trustedHeaders self  HEADER CLIENT IP                 clientIps      ip     Complete the IP chain with the IP the request actually came from      firstTrustedIp   null      foreach   clientIps as  key   gt   clientIp               Remove port  unfortunately  it does happen          if  preg match        d     3  d     d      clientIp   match                  clientIps  key     clientIp    match 1                     if   filter var  clientIp  FILTER VALIDATE IP                 unset  clientIps  key                      if  IpUtils  checkIp  clientIp  self   trustedProxies                 unset  clientIps  key                   Fallback to this when the client IP falls into the range of trusted proxies             if  null       firstTrustedIp                     firstTrustedIp    clientIp                                       Now the IP chain contains only untrusted proxies and the client IP     return  clientIps   array reverse  clientIps    array  firstTrustedIp

User · Answer

Sanitizes IPv4 address according to Ilia Alshanetsky s book     php architect s Guide to PHP Security   chapter 2  page 67         param string  ip An IPv4 address     public static function sanitizeIpAddress  ip         if   ip                   rtnStr    0 0 0 0         else            rtnStr   long2ip ip2long  ip           return  rtnStr       ---------------------------------------------------         Returns the sanitized HTTP X FORWARDED FOR server variable         public static function getXForwardedFor     if  isset   SERVER  HTTP X FORWARDED FOR                rtnStr     SERVER  HTTP X FORWARDED FOR          elseif  isset  HTTP SERVER VARS  HTTP X FORWARDED FOR                rtnStr    HTTP SERVER VARS  HTTP X FORWARDED FOR          elseif  getenv  HTTP X FORWARDED FOR               rtnStr   getenv  HTTP X FORWARDED FOR          else            rtnStr                 Sanitize IPv4 address  Ilia Alshanetsky   if   rtnStr                   rtnStr   explode        rtnStr        rtnStr   self  sanitizeIpAddress  rtnStr 0           return  rtnStr       ---------------------------------------------------         Returns the sanitized REMOTE ADDR server variable         public static function getRemoteAddr     if  isset   SERVER  REMOTE ADDR                rtnStr     SERVER  REMOTE ADDR          elseif  isset  HTTP SERVER VARS  REMOTE ADDR                rtnStr    HTTP SERVER VARS  REMOTE ADDR          elseif  getenv  REMOTE ADDR               rtnStr   getenv  REMOTE ADDR          else            rtnStr                 Sanitize IPv4 address  Ilia Alshanetsky   if   rtnStr                   rtnStr   explode        rtnStr        rtnStr   self  sanitizeIpAddress  rtnStr 0           return  rtnStr       ---------------------------------------------------         Returns the sanitized remote user and proxy IP addresses         public static function getIpAndProxy      xForwarded   self  getXForwardedFor     remoteAddr   self  getRemoteAddr     if   xForwarded                   ip       xForwarded       proxy    remoteAddr        else            ip       remoteAddr       proxy              return array  ip   proxy

User · Answer

As someone said previously  the key here is for what reason you want to store user s ips   I ll give an example from a registration system I work on and of course the solution just to contribute sth in this old discussion that comes frequently in my searches   Many php registration libraries use ip to throttle lock out failed attempts based on user s ip  Consider this table   -- mysql DROP TABLE IF EXISTS  attempts   CREATE TABLE  attempts       id  int 11  NOT NULL AUTO INCREMENT     ip  varchar 39  NOT NULL     lt  lt            expiredate  datetime NOT NULL    PRIMARY KEY   id     ENGINE InnoDB DEFAULT CHARSET utf8   -- sqlite       Then  when a user tries to do a login or anything related with servicing like a password reset  a function is called at the start   public function isBlocked                       used one of the above methods to capture user s ip                     ip    this- gt ip           delete attempts from this ip with  expiredate  in the past        this- gt deleteAttempts  ip  false          query    this- gt dbh- gt prepare  SELECT count    FROM   this- gt token- gt get  table attempts    WHERE ip               query- gt execute array  ip           attempts    query- gt fetchColumn          if   attempts  lt  intval  this- gt token- gt get  attempts before verify                return  allow                 if   attempts  lt  intval  this- gt token- gt get  attempts before ban                return  captcha                 return  block          Say  for example   this- gt token- gt get  attempts before ban       10 and 2 users come for the same ips as is the case in the previous codes where headers can be spoofed  then after 5 attempts each both are banned  Even worst  if all come from the same proxy then only the first 10 users will be logged and all the rest will be banned   The critical here is that we need a unique index on table attempts and we can get it from a combination like     ip  varchar 39  NOT NULL    jwt load varchar 100  NOT NULL   where jwt load comes from a http cookie that follows the json web token technology where we store only the encrypted payload that should contain an arbitrary unique value for every user  Of course the request should be modified to   SELECT count    FROM   this- gt token- gt get  table attempts    WHERE ip     AND jwt load      and the class should also initiate a private  jwt

User · Answer

You pretty much answered your own question      function getRealIpAddr         if  empty   SERVER  HTTP CLIENT IP         Check IP address from shared Internet                IPaddress     SERVER  HTTP CLIENT IP              elseif   empty   SERVER  HTTP X FORWARDED FOR         To check IP address is passed from the proxy                IPaddress     SERVER  HTTP X FORWARDED FOR              else                IPaddress     SERVER  REMOTE ADDR              return  IPaddress      Source

User · Answer

Even then however  getting a user s real IP address is going to be unreliable  All they need to do is use an anonymous proxy server  one that doesn t honor the headers for http x forwarded for  http forwarded  etc  and all you get is their proxy server s IP address  You can then see if there is a list of proxy server IP addresses that are anonymous  but there is no way to be sure that is 100  accurate as well and the most it d do is let you know it is a proxy server  And if someone is being clever  they can spoof headers for HTTP forwards  Let s say I don t like the local college  I figure out what IP addresses they registered  and get their IP address banned on your site by doing bad things  because I figure out you honor the HTTP forwards  The list is endless  Then there is  as you guessed  internal IP addresses such as the college network I metioned before  A lot use a 10 x x x format  So all you would know is that it was forwarded for a shared network  Then I won t start much into it  but dynamic IP addresses are the way of broadband anymore  So  Even if you get a user IP address  expect it to change in 2 - 3 months  at the longest

User · Answer

Here s a modified version if you use CloudFlare caching layer Services  function getIP          fields   array  HTTP X FORWARDED FOR                        REMOTE ADDR                        HTTP CF CONNECTING IP                        HTTP X CLUSTER CLIENT IP         foreach  fields as  f                 tries     SERVER  f           if  empty  tries               continue           tries   explode      tries           foreach  tries as  try                         r   filter var  try                              FILTER VALIDATE IP  FILTER FLAG IPV4                               FILTER FLAG NO PRIV RANGE                               FILTER FLAG NO RES RANGE                if   r     false                                return  try                                    return false

User · Answer

My answer is basically just a polished  fully-validated  and fully-packaged  version of  AlixAxel s answer    lt  php     Get the  best known  client IP      if   function exists  getClientIP                  function getClientIP                                 if  isset   SERVER  HTTP CF CONNECTING IP                                                      SERVER  REMOTE ADDR       SERVER  HTTP CF CONNECTING IP                                            foreach  array  HTTP CLIENT IP    HTTP X FORWARDED FOR    HTTP X FORWARDED    HTTP X CLUSTER CLIENT IP    HTTP FORWARDED FOR    HTTP FORWARDED    REMOTE ADDR   as  key                                                if  array key exists  key    SERVER                                                                  foreach  explode        SERVER  key   as  ip                                                                                 ip   trim  ip                                            if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE   FILTER FLAG NO RES RANGE      false                                                                                                return  ip                                                                                                                                                               return false                          best known ip   getClientIP     if  empty  best known ip                  ip    clients ip    client ip    client IP    best known ip        else                ip    clients ip    client ip    client IP    best known ip                 gt    Changes    It simplifies the function name  with  camelCase  formatting style   It includes a check to make sure the function isn t already declared in another part of your code  It takes into account  CloudFlare  compatibility  It initializes multiple  IP-related  variable names to the returned value  of the  getClientIP  function  It ensures that if the function doesn t return a valid IP address  all the variables are set to a empty string  instead of null  It s only  45  lines of code

User · Answer

I know this is too late to answer  But you may try these options  Option 1   Using curl   ch   curl init        set URL and other appropriate options curl setopt  ch  CURLOPT URL   quot https   ifconfig me  quot    curl setopt  ch  CURLOPT RETURNTRANSFER  1       grab URL and pass it to the browser  ip   curl exec  ch       close cURL resource  and free up system resources curl close  ch    return  ip   Option 2   Works good on mac  return trim shell exec  quot dig  short myip opendns com  resolver1 opendns com quot      Option 3   Just used a trick  return str replace  Current IP CheckCurrent IP Address         strip tags file get contents  http   checkip dyndns com       Might be a reference  https   www tecmint com find-linux-server-public-ip-address

User · Answer

i realize there are much better and more concise answers above  and this isnt a function nor the most graceful script around  In our case we needed to output both the spoofable x forwarded for and the more reliable remote addr in a simplistic switch per-say  It needed to allow blanks for injecting into other functions if-none or if-singular  rather than just returning the preformatted function   It needed an  on or off  var with a per-switch customized label s  for platform settings  It also needed a way for  ip to be dynamic depending on request so that it would take form of forwarded for   Also i didnt see anyone address isset   vs  empty   -- its possible to enter nothing for x forwarded for yet still trigger isset   truth resulting in blank var  a way to get around is to use  amp  amp  and combine both as conditions  Keep in mind you can spoof words like  PWNED  as x forwarded for so make sure you sterilize to a real ip syntax if your outputting somewhere protected or into DB   Also also  you can test using google translate if you need a multi-proxy to see the array in x forwarder for  If you wanna spoof headers to test  check this out Chrome Client Header Spoof extension  This will default to just standard remote addr while behind anon proxy   I dunno any case where remote addr could be empty  but its there as fallback just in case      proxybuster - attempts to un-hide originating IP if  reverse proxy provides methods to do so    enableProxyBust   true   if    enableProxyBust    true   amp  amp   isset   SERVER  REMOTE ADDR      amp  amp   isset   SERVER  HTTP X FORWARDED FOR      amp  amp    empty   SERVER  HTTP X FORWARDED FOR             ip   end array values array filter explode       SERVER  HTTP X FORWARDED FOR             ipProxy     SERVER  REMOTE ADDR         ipProxy label     behind proxy      elseif    enableProxyBust    true   amp  amp   isset   SERVER  REMOTE ADDR             ip     SERVER  REMOTE ADDR         ipProxy            ipProxy label     no proxy      elseif    enableProxyBust    false   amp  amp   isset   SERVER  REMOTE ADDR             ip     SERVER  REMOTE ADDR         ipProxy            ipProxy label         else        ip            ipProxy            ipProxy label           To make these dynamic for use in function s  or query echo views below  say for log gen or error reporting  use globals or just echo em in wherever you desire without making a ton of other conditions or static-schema-output functions   function fooNow         global  ip   ipProxy   ipProxy label         begin this actions such as log  error  query  or report     Thank you for all your great thoughts  Please let me know if this could be better  still kinda new to these headers

User · Answer

Here is a shorter  cleaner way to get the IP address  function get ip address        foreach  array  HTTP CLIENT IP    HTTP X FORWARDED FOR    HTTP X FORWARDED    HTTP X CLUSTER CLIENT IP    HTTP FORWARDED FOR    HTTP FORWARDED    REMOTE ADDR   as  key           if  array key exists  key    SERVER      true               foreach  explode        SERVER  key   as  ip                    ip   trim  ip      just to be safe                  if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE   FILTER FLAG NO RES RANGE      false                       return  ip                                                      Your code seems to be pretty complete already  I cannot see any possible bugs in it  aside from the usual IP caveats   I would change the validate ip   function to rely on the filter extension though  public function validate ip  ip        if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE   FILTER FLAG NO RES RANGE      false                return false             self   ip   sprintf   u   ip2long  ip       you seem to want this      return true     Also your HTTP X FORWARDED FOR snippet can be simplified from this     check for IPs passing through proxies if   empty   SERVER  HTTP X FORWARDED FOR              check if multiple ips exist in var     if  strpos   SERVER  HTTP X FORWARDED FOR             false                 iplist   explode        SERVER  HTTP X FORWARDED FOR                      foreach   iplist as  ip                        if   this- gt validate ip  ip                   return  ip                           else               if   this- gt validate ip   SERVER  HTTP X FORWARDED FOR                 return   SERVER  HTTP X FORWARDED FOR             To this     check for IPs passing through proxies if   empty   SERVER  HTTP X FORWARDED FOR            iplist   explode        SERVER  HTTP X FORWARDED FOR                  foreach   iplist as  ip                if   this- gt validate ip  ip               return  ip           You may also want to validate IPv6 addresses

User · Answer

Just a VB NET version of the answer   Private Function GetRequestIpAddress   As IPAddress     Dim serverVariables   HttpContext Current Request ServerVariables     Dim headersKeysToCheck     HTTP CLIENT IP                                    HTTP X FORWARDED FOR                                    HTTP X FORWARDED                                    HTTP X CLUSTER CLIENT IP                                    HTTP FORWARDED FOR                                    HTTP FORWARDED                                    REMOTE ADDR       For Each thisHeaderKey In headersKeysToCheck         Dim thisValue   serverVariables Item thisHeaderKey          If thisValue IsNot Nothing Then             Dim validAddress As IPAddress   Nothing             If IPAddress TryParse thisValue  validAddress  Then                 Return validAddress             End If         End If     Next     Return Nothing End Function

User · Answer

Thanks for this  very useful   It would help though if the code were syntactically correct  As it is there s a   too many around line 20  Which I m afraid means nobody actually tried this out   I may be crazy  but after trying it on a few valid and invalid addresses  the only version of validate ip   that worked was this       public function validate ip  ip                if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE      false              return false          if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO RES RANGE      false              return false          if  filter var  ip  FILTER VALIDATE IP  FILTER FLAG IPV4      false  amp  amp  filter var  ip  FILTER VALIDATE IP  FILTER FLAG IPV6      false              return false           return true

User · Answer

Just another clean way     function validateIp  var ip        ip   trim  var ip        return   empty  ip   amp  amp               ip       1   amp  amp               ip     127 0 0 1   amp  amp              filter var  ip  FILTER VALIDATE IP  FILTER FLAG NO PRIV RANGE   FILTER FLAG NO RES RANGE      false                 ip   false         function getClientIp          ip     this- gt validateIp   SERVER  HTTP CLIENT IP                   this- gt validateIp   SERVER  HTTP X FORWARDED FOR                   this- gt validateIp   SERVER  HTTP X FORWARDED                   this- gt validateIp   SERVER  HTTP FORWARDED FOR                   this- gt validateIp   SERVER  HTTP FORWARDED                   this- gt validateIp   SERVER  REMOTE ADDR                  LOCAL OR UNKNOWN ACCESS        return  ip

User · Answer

The biggest question is for what purpose  Your code is nearly as comprehensive as it could be - but I see that if you spot what looks like a proxy added header  you use that INSTEAD of the CLIENT IP  however if you want this information for audit purposes then be warned - its very easy to fake  Certainly you should never use IP addresses for any sort of authentication - even these can be spoofed  You could get a better measurement of the client ip address by pushing out a flash or java applet which connects back to the server via a non-http port  which would therefore reveal transparent proxies or cases where the proxy-injected headers are false - but bear in mind that  where the client can ONLY connect via a web proxy or the outgoing port is blocked  there will be no connection from the applet

[php] What is the most accurate way to retrieve a user's correct IP address in PHP?

Examples related to php

Examples related to ip-address