Home > Article > Backend Development > Use CURL to forge source URLs and IP_PHP tutorial
Many votes have to verify the URL and IP of the source, but using CURL, you can forge any URL and IP to bypass some simple verifications. Here is a simple example.
Before running the program, please make sure extension=php_curl.dll in php.ini is not commented out.
test.php
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://localhost/test_2.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:8.8.8.8', 'CLIENT-IP:8.8.8.8')); //构造IP curl_setopt($ch, CURLOPT_REFERER, "http://www.bkjia.com/ "); //构造来路 curl_setopt($ch, CURLOPT_HEADER, 1); $out = curl_exec($ch); curl_close($ch); ?>
test.php will send a request to test_2.php.
<?php function getClientIp() { if (!empty($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"]; else if (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; else if (!empty($_SERVER["REMOTE_ADDR"])) $ip = $_SERVER["REMOTE_ADDR"]; else $ip = "err"; return $ip; } echo "<br />IP: " . getClientIp() . ""; echo "<br />referer: " . $_SERVER["HTTP_REFERER"]; ?>
The results of running the program are as follows:
HTTP/1.1 200 OK Date: Tue, 01 Nov 2011 12:20:06 GMT Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 X-Powered-By: PHP/5.2.9 Content-Length: 53 Content-Type: text/html IP: 8.8.8.8 referer: http://www.bkjia.com/
As you can see, the IP and address can be changed at will. For many voting functions with imperfect voting mechanisms, you can use this to brush votes.
By the way, about the real IP.
Generally, the environment variable $_SERVER['REMOTE_ADDR'] is used to obtain the user's IP. However, this variable only records the last host IP. Therefore, when the user's browser has a Proxy set, his real IP cannot be obtained. .
At this time, you can use another environment variable $_SERVER['HTTP_X_FORWARDED_FOR']. It will record the host IP passed by, but it will only be generated when the user uses a Proxy, so you can write it like the following to get it. or the real IP.
<?php if ( empty( $_SERVER['HTTP_X_FORWARDED_FOR'])) { $myip = $_SERVER['REMOTE_ADDR']; } else { $myip = explode( ',' , $_SERVER['HTTP_X_FORWARDED_FOR']); $myip = $myip [0]; } echo $myip; ?>