I have developed a PHP webservice. I would like to log all incoming connections of the WS clients, which are consuming this web service. How can I obtain the client's IP address? The value of
$_SERVER['HTTP_CLIENT_IP']
- Did you solve this? What was the print_r(of $_SERVER); ?Ben G– Ben G2010-08-19 05:23:28 +00:00Commented Aug 19, 2010 at 5:23
Add a comment |
10 Answers
This should be what you want:
$_SERVER['REMOTE_ADDR'] The IP address from which the user is viewing the current page.
3 Comments
simon
I tried this, the value seems to be empty as well. I'm consuming the web service from a Java client on a local network. Maybe I'll just try outputting all the server variables to see if any of them contains the requesting IP address.
Tom Haigh
What web server and php version are you using and how is it configured?
simon
The web server is Apache 2.2.1.1 and PHP version is 5.2.8. The PHP code I'm developing is running as a part of the KnowledgeTree 3.6.1 server. I've also tried reading the IP address from the (knowledgeTree) built-in functions session->resolveIp etc, but without success.
Actually, I would suggest using this function to cover all of your bases, such as people using proxies, shared networks etc.:
function getUserIpAddr() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) //if from shared { return $_SERVER['HTTP_CLIENT_IP']; } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //if from a proxy { return $_SERVER['HTTP_X_FORWARDED_FOR']; } else { return $_SERVER['REMOTE_ADDR']; } } 
3 Comments
Emil Vikström
This can be easily spoofed by sending a fake X-Forwarded-For header!
Ben G
Good point. Proly makes sense to make sure that there's no mismatch between REMTOE_ADDR and HTTP_X_FORWARDED_FOR if you want to catch fakes
jayarjo
Actually the whole point of proxies is that there will be a mismatch between REMOTE_ADDR and HTTP_X_FORWARDED_FOR.
Make sure not to trust data sent from the client. $_SERVER['REMOTE_ADDR'] contains the real IP address of the connecting party. That is the most reliable value you can find.
However, they can be behind a proxy server in which case the proxy may have set the $_SERVER['HTTP_X_FORWARDED_FOR'], but this value is easily spoofed. It can be set by someone without a proxy to whatever value the user wants, or the IP can be an internal IP from the LAN behind the proxy.
This means that if you are going to save the $_SERVER['HTTP_X_FORWARDED_FOR'], make sure you also save the $_SERVER['REMOTE_ADDR'] value, e.g., by saving both values in different fields in your database.
If you are going to save the IP to a database as a string, make sure you have space for at least 45 characters. IPv6 is here to stay and those addresses are larger than the older IPv4 addresses.
Comments
The functions getUserIpAddr() and getRealIpAddr() are not reliable!
The only reliable IP is from $ip = $_SERVER["REMOTE_ADDR"]; Otherwise anyone could fake his IP address by sending the CLIENT_IP header for example.
This Firefox Addon can help you send custom headers. Sending the CLIENT_IP=x.x.x.x header to a server running any of the functions on this page, would mean that clients can choose any IP they want...
Comments
Are you using some kind of framework for your webservice? I saw some frameworks (For instance Agavi) which intentionally delete all the $SERVER data because they want to enfore you to use the validated values from a framework service.
Comments
If this dont do the job i dont know what does..
function getClientIP() { if (isset($_SERVER)) { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) return $_SERVER["HTTP_X_FORWARDED_FOR"]; if (isset($_SERVER["HTTP_CLIENT_IP"])) return $_SERVER["HTTP_CLIENT_IP"]; return $_SERVER["REMOTE_ADDR"]; } if (getenv('HTTP_X_FORWARDED_FOR')) return getenv('HTTP_X_FORWARDED_FOR'); if (getenv('HTTP_CLIENT_IP')) return getenv('HTTP_CLIENT_IP'); return getenv('REMOTE_ADDR'); } 
1 Comment
Emil Vikström
This can be easily spoofed with a fake X-Forwarded-For header!
My preferred function:
public static function get_remote_ip() { if(isset($_SERVER['REMOTE_ADDR']) && !empty($_SERVER['REMOTE_ADDR'])) { return $_SERVER['REMOTE_ADDR']; } if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; } return null; } 
Comments
You might try
<?php var_dump($_SERVER); to see all vars. But that actually also depends on the backend your script is running at. Is that Apache?
answered Sep 17, 2009 at 20:05
Vladislav Rastrusny
30.2k23 gold badges100 silver badges158 bronze badges
Comments
<?php $ip=$_SERVER['REMOTE_ADDR']; echo "Your IP Address is $ip"; ?> and to insert into database just use $ip
Comments
<?php function getIP() { $ip; if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP"); else if(getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR"); else $ip = "UNKNOWN"; return $ip; } //----------------------------------------------- //Usage: $client_ip=getIP(); echo "Your IP :".$client_ip; ?> 
4 Comments
Emil Vikström
This is easily spoofed by a fake X-Forwarded-For header.
Tarun Gupta
Then you can try $_SERVER to get the info of client. This was just another way one can use.
Emil Vikström
My downvote is for treating X-Forwarded-For and Client-IP HTTP headers as if they are the same thing as (or even better than!) the remote address. They are not. They are easy to fake so they should not be trusted at all, except possibly in an internal network. If you are going to read those headers, make sure you to also save the real remote address. Your address does not reflect that at all so I hope nobody uses this function in a real environment.
Tarun Gupta
Emil Vikstrom .. thats why i have replied that this is one of another way .. i am not suggesting it to anybody ,