Home > Article > Backend Development > Analysis and implementation code of 5 situations for PHP to obtain the real IP address of the client, analysis of 5 situations_PHP tutorial
$_SERVER["REMOTE_ADDR"] is often used in PHP to obtain the client IP.
(1) But if the client uses a proxy server to access, what is obtained is the IP address of the proxy server, not the real client IP address. To obtain the client's real IP address through a proxy server, use $_SERVER["HTTP_X_FORWARDED_FOR"] to read it.
(2) But only when the client uses a "transparent proxy", the value of $_SERVER["HTTP_X_FORWARDED_FOR"] is the client's real IP (if it is a multi-layer proxy, this value may be the client's real IP and multiple It consists of the IP addresses of proxy servers, separated by commas ",").
(3) In the case of "anonymous proxy" and "deceptive proxy", it is the IP value of the proxy server (if it is a multi-layer proxy, this value may consist of the IPs of multiple proxy servers, separated by commas ",") .
(4) NULL in case of "high anonymity proxy".
Regarding the REMOTE_ADDR and HTTP_FORWARDED_FOR values in the HTTP header information, the analysis is as follows, assuming that the client’s real IP is 221.5.252.160:
1. PHP without using proxy server to obtain client IP:
2. The use of transparent proxy servers: Transparent Proxies
This type of proxy server still sends the client’s real IP to the access object, which cannot achieve the purpose of hiding the true identity.
3. Using PHP of ordinary anonymous proxy server to obtain client IP: Anonymous Proxies
In this case, the real IP of the client is hidden, but it is revealed to the access object that the client uses a proxy server to access them.
4. The use of deceptive proxy servers: Distorting Proxies
This case also reveals that the client uses a proxy server, but fabricates a fake random IP (220.4.251.159) instead of the client's real IP to spoof it.
5. Using PHP with high anonymity proxy server to obtain client IP: High Anonymity Proxies (Elite proxies)
HTTP_VIA=No value or not displayed
HTTP_X_FORWARDED_FOR = No value or not displayed.
Whether it is REMOTE_ADDR or HTTP_FORWARDED_FOR, these header messages may not be available because different browsers and different network devices may send different IP header messages. Therefore, the value obtained by PHP using $_SERVER["REMOTE_ADDR"] and $_SERVER["HTTP_X_FORWARDED_FOR"] may be a null value or an "unknown" value.
Another point to note when obtaining the client IP in PHP is that you can use the function getenv('HTTP_X_FORWARDED_FOR') or getenv('REMOTE_ADDR') to achieve the same effect as the above code. But getenv() does not support PHP running in IIS isapi mode.
REMOTE_ADDR is the IP when your client "handshakes" with your server. If an "anonymous proxy" is used, REMOTE_ADDR will display the IP of the proxy server.
HTTP_CLIENT_IP is the HTTP header sent by the proxy server. If it is a "super anonymous proxy", a value of none is returned. Likewise, REMOTE_ADDR will be replaced with the IP of this proxy server.
$_SERVER['REMOTE_ADDR']; //Accessor (may be a user, maybe a proxy) IP
$_SERVER['HTTP_CLIENT_IP']; //Agent-side (may exist, can be forged)
$_SERVER['HTTP_X_FORWARDED_FOR']; //Which IP does the user use as a proxy (may exist or can be forged)
PHP code written based on the above situations:
If this function is applied to a webpage with restricted IP access, others will not be able to access the page even through the proxy server in the restricted IP access segment.
A function is provided below: // Define a function getIP()
function getIP(){global $ip;
if (getenv("HTTP_CLIENT_IP"))
$ip = getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR"))
$ip = getenv("REMOTE_ADDR");else$ip = "Unknow";
return $ip;}
// Usage:
echo getIP();?>
getenv("REMOTE_ADDR") is used to obtain the client's IP address, but if the client uses a proxy server to access, what is obtained is the IP address of the proxy server, not the real client IP address. To obtain the client's real IP address through the proxy server, use getenv("HTTP_X_FORWARDED_FOR") to read it.
But if the client does not access through a proxy server, the value obtained with getenv("HTTP_X_FORWARDED_FOR") will be empty.
else if(getenv("HTTP_X_FORWARDED_FOR"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
means if the value obtained by getenv("HTTP_X_FORWARDED_FOR") is not empty (that is, the client uses In the case of proxy server), the variable $ip is equal to the real IP value obtained by getenv("HTTP_X_FORWARDED_FOR").
If the value obtained by the above else if(getenv("HTTP_X_FORWARDED_FOR")) is empty (that is, no proxy server is used), the following $ip = getenv("HTTP_X_FORWARDED_FOR"); line statement will not be executed.
In this case it has been confirmed that the client does not use a proxy server, thus passing
else if(getenv("REMOTE_ADDR"))
. If this function is applied to a web page with restricted IP access, others will not be able to access the page even through the proxy server in the restricted IP access segment. A function is provided below: getenv("REMOTE_ADDR") is used to obtain the client's IP address. However, if the client uses a proxy server to access, what is obtained is the IP address of the proxy server, not the real IP address. client IP address. To obtain the client's real IP address through the proxy server, use getenv("HTTP_X_FORWARDED_FOR") to read it. But if the client does not access through a proxy server, the value obtained with getenv("HTTP_X_FORWARDED_FOR") will be empty. else if(getenv("HTTP_X_FORWARDED_FOR"))$ip = getenv("HTTP_X_FORWARDED_FOR"); means that if the value obtained by getenv("HTTP_X_FORWARDED_FOR") is not empty (that is, when the client uses a proxy server), the variable $ip is equal to the real IP value obtained by getenv("HTTP_X_FORWARDED_FOR"). If the value obtained by the above else if(getenv("HTTP_X_FORWARDED_FOR")) is empty (that is, no proxy server is used), the following $ip = getenv("HTTP_X_FORWARDED_FOR"); line statement will not be executed. In this case, it has been confirmed that the client does not use a proxy server, so the client's IP address obtained through the else if(getenv("REMOTE_ADDR")) two-line statement is also the real IP address.