{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 疯言疯语 的问题《Can we spoof $_SERVER['REMOTE_ADDR'] / use》','https://www.manongdao.com/q-533968.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Well the title basically says it.
But for more info . .
This method works but . .
$ip = '1.1.1.1';
curl_setopt($handle, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "X_FORWARDED_FOR: $ip"));
It only adds these two keys on the $_SERVER array
HTTP_REMOTE_ADDRHTTP_X_FORWARDED_FOR
The key REMOTE_ADDR still remains the same.
Can REMOTE_ADDR be changed? The answer here says NO. But a comment also says It may, however, NOT be the user's real IP address because it may be hidden by proxies and other methods. That is why the general rule is to not depend on $_SERVER['REMOTE_ADDR'] for a security feature.
With all that aside is there a curl php method to also hide/mask/change the ip? (any other php method aside from the above code would do.)
AND
Is there a way for countering the method OR Is there a way to get the ACTUAL REAL IP of a user?
Cheers!
No.
$_SERVER['REMOTE_ADDR']is the actual physical IP address the client used to connect to the webserver, as confirmed by a three-way TCP handshake. There's no way to fake this by setting simple HTTP headers. You also cannot make the webserver/PHP overwrite this value with something else in any way.$_SERVER['REMOTE_ADDR']is set from TCP connection information, period.To actually spoof an IP address, you have to go much deeper into the actual network layer and have some level of control over network equipment/man in the middle positions/proxies/whatnot to actually be able to establish a TCP connection from an IP address other than the one you're establishing it from.
No. "The actual IP address of the user" is the address your webserver received the connection from, period. There is no other address for you. The client connects to your server from a certain IP, this is confirmed with a three-way TCP handshake, that's the only address you know for this client. This client may be a proxy or a NAT router (i.e. a proxy) or something else, you simply do not know and neither should it make any difference to you.
If the client uses a browser behind a proxy, the
$_SERVER['REMOTE_ADDR']will be the IP address of the proxy. The remote address is the IP of the machine that is making the connection.If the proxy uses headers to indicate if the connection is performed in behalf of other machines, you can use these headers to determine the IP of the browser behind the proxy.
$_SERVER['HTTP_X_FORWARDED_FOR'],$_SERVER['HTTP_X_FORWARDED'],$_SERVER['HTTP_FORWARDED_FOR']and$_SERVER['HTTP_FORWARDED']Note that the RFC 6648 deprecated the
X-*headers and the RFC 7239 deprecatedX-Forwarded-*by defining aForwardedheader.You can check some answers at