IP source analysis of restricted IP voting program implemented in PHP_php skills

This article analyzes the restricted IP voting program implemented in PHP with an example. Share it with everyone for your reference, the details are as follows:

After receiving a request for a voting event, IP restrictions need to be implemented. Each IP limits certain voting opportunities. I searched for the keyword: PHP client IP on the search engine, and the results are basically the following:

if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
   $onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
   $onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
   $onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
   $onlineip = $_SERVER['REMOTE_ADDR'];
}

This code is used in the widely used "discuz" forum software, as well as many open source PHP software. The general idea is to obtain the final client IP address (the IP address of the user who uses a proxy to access it can be obtained address).

Since many mature programs use this code to obtain the client IP address, I can safely use it in the program. Fortunately, a colleague later reminded me that this code cannot be used to restrict IP voting. In the program, because HTTP_X_FORWARDED_FOR can be forged, just add X-Forwarded-For to the request header. What $_SERVER['HTTP_X_FORWARDED_FOR'] on the server side receives is the content of this request header.

Let me explain it using a program:

The content of http://localhost/i.php is to obtain the IP address through the above code and print it out.

Write the code to construct the request and request this URL: The parameter X-Forwarded-For is added to the request header:

$head = array();
$head[] = 'GET /i.php HTTP/1.1';
$head[] = 'Host: localhost';
$head[] = 'X-Forwarded-For: 255.255.255.255' ;
$head[] = 'Connection: Close' ;
$head = join("rn",$head) ;
$head .= "rnrn";
$fp = fsockopen('localhost', 80);
fwrite($fp, $head);
$response = array() ;
while($buff = fread($fp, 4096)){
   $response[] = $buff;
}
print join('',$response) ;

Executing this code, you can see that the server side (localhost/i.php) printed 255.255.255.255.
It shows that this method of obtaining the client IP is not advisable in voting activities that restrict IP, and the client's IP address can be forged. Although using $_SERVER['REMOTE_ADDR'] directly does not obtain the user's final IP address, the restriction function is achieved directly and effectively.

Of course, that code cannot be said to be wrong. In some cases where there are no restrictions on IP, it should be used. For example, in some websites with many regional sub-sites, the IP accessed by the user can directly jump to the sub-site in the region where the user is located.

Readers who are interested in more PHP-related content can check out the special topics on this site: "php curl usage summary", "php socket usage summary", "PHP Summary of network programming skills ", "Introduction to PHP basic syntax tutorial ", "Summary of PHP operating office document skills (including word, excel, access, ppt) ", "php date and time usage summary", "php object-oriented programming introductory tutorial", "php string (string) usage summary", " PHP mysql database operation introductory tutorial " and " PHP common database operation skills summary "

I hope this article will be helpful to everyone in PHP programming.