Can You Really Trust $_SERVER['REMOTE_ADDR']?

The Reliability of $_SERVER['REMOTE_ADDR']

The $_SERVER['REMOTE_ADDR'] is a vital variable in web development, providing the IP address of the client initiating an HTTP request. However, there is a common misconception that this value can be easily spoofed, leading to concerns about its trustworthiness.

Can $_SERVER['REMOTE_ADDR'] Be Trusted?

Yes, it is generally safe to trust the $_SERVER['REMOTE_ADDR'] value. It represents the IP address of the client's TCP connection and cannot be modified by altering HTTP headers. This is because the IP address is a property of the TCP/IP connection and is not transmitted as part of the HTTP headers.

Potential Pitfalls

However, there is one important exception to this rule. If your server is behind a reverse proxy, the REMOTE_ADDR will represent the IP address of the proxy server, not the client. In this case, the client's IP address will be included in an HTTP header, typically X-Forwarded-For.

For example, if your server is behind a reverse proxy with the IP address 111.111.111.111, requests to your server will appear to originate from that IP address. To obtain the client's IP address in this scenario, you would need to examine the X-Forwarded-For header.

However, in most common scenarios where you are directly receiving HTTP requests from clients without a reverse proxy, trusting $_SERVER['REMOTE_ADDR'] is a reliable approach for determining the client's IP address.

The above is the detailed content of Can You Really Trust $_SERVER['REMOTE_ADDR']?. For more information, please follow other related articles on the PHP Chinese website!