Reliability of PHP'S $_SERVER['REMOTE_ADDR

2019-02-06 19:32发布

问题:

I'm building a site that is designed to be administered from localhost, but contains pages that expose data to internet or local network users. Can I rely on PHP's $_SERVER['REMOTE_ADDR'] as a secure/reliable way of identifying the user as localhost? Thanks!

Edit: To clarify, I am only concerned with determining whether or not the request originates from localhost (perhaps there is a better way).

回答1:

That variable is filled with data provided by Apache (or another web server daemon) and should be reliable in identifying the IP address on the other end of the connection, yes. Check for 127.x.x.x (almost always 127.0.0.1) and ::1 (for IPv6). As Senica says, it may not always exist (for example, when running from the command line rather than through the web server). But if it is filled, it should be reliable.

To be able to fake it, somebody already needs pretty extensive access to your network and system in a way that you can't protect against with PHP anyway.



回答2:

No. It depends on the web server whether is serves up remote_addr or not.

RETRACT THAT...was thinking about HTTP_REFERER.

It should give you the ip address...yes. Remember there could be proxy's.



回答3:

This may not typically apply to connections from localhost but you should take proxies into account. If the remote end is using a HTTP proxy, $_SERVER['REMOTE_ADDR'] will contain the IP address of that proxy rather than the IP address of the client itself.

However, if it is a proxy which has privacy settings disabled, then you may have a chance to obtain client IP using the following snippet:

// will be set by the proxy if no privacy is enabled:
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    return $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if(isset($_SERVER['REMOTE_ADDR'])) {
    return $_SERVER['REMOTE_ADDR'];
}

But if your client is using a HTTP proxy with privacy enabled, then you won't have a chance to get the clients IP.


Security Hint (thanks @deceze) Note that if you rely on the HTTP_X_FORWARDED_FOR header, it will be easy for attackers to spoof their IP. Although this is possible using other techniques as well, it will be very easy using the HTTP_X_FORWARDED_FOR header. You have been warned. But anyway an web application should never use IP information for security, therefore it's just a side-note



标签: php security