Capture User's IP Address

Is there a way to reliably capture a User’s IP Address using PHP?

If so, how is it done?



$_SERVER[‘REMOTE_ADDR’] That is all there is to it.


I don’t have a good example right now, but could you help give me some context please?

I am wrapping up a new release that allows Registered Users to Comment on Articles on my website. (Comments must be approved by me before they appear.)

It seems like two things would be useful for “user forensics” on my website…

1.) From which IP Address did a User originally register?

2.) For each Comment, from which IP Address is a User Commenting?

So in either case, what do I do with your snippet above?

Do I do something like…

$currentIP = $_SERVER['REMOTE_ADDR']


// Build query.
$q = "INSERT INTO member(email, hash, first_name, activation_code, [B]registrationIP[/B], created_on)
							VALUES(?, ?, ?, ?, ?, NOW())";

Also, is there anyway that using that function would give a “False Positive” or a result that is somewhat misleading?


It is very poor idea to identify users by IP addresses. You should better to set a unique value cookie instead.

Are you using this to easily publish a bunch of comments from known “trusted” users at one time? If that is the case I don’t see any real harm in inaccuracy so long as xss is taken care of and what not. Generally speaking the IP address is not to be trusted and in no way identifies a unique user or even represents an actual users IP (heard of a proxy?). However, for your purposes I can’t think of any harm. Just so long as your not automatically authenticating users based on IP… that would be huge security gap.

My intent was to capture the Use’s IP Address during Registration and every time he/seh Posts a Comment.

That way if I have someone who is causing problems, I can look at the IP Address in aggregate and see if I can identify a pattern.

Maybe the IP is in a country I am not favorable to (e.g. India or China)?

Maybe the User’s account was fine and based in Iowa, and now they appear to be a spammer in India? Could be a sign that the person in iowa’s account was hacked?

And so on.

I’m no forensics expert, but I figured it can’t hurt to capture it as I prepare my Release #2 website which allows Users to Create Accounts and Post Comments.

Make sense?


I don’t see any harm in that. Just remember that IP addresses can easily be spoofed before you alienate the entire area due to a spammer using a proxy.

I agree with the others. It’s too easy to hide or spoof ip addresses and so they are useless on their own to identify users that don’t want to be identified. But even if a user has no bad intentions they could still be usng a legitimate hosting account that hands out a new dynamic ip address (as opposed to a static ip address) every time the user connects to the internet.

If you want to store ip addresses that’s fine and is straight forward, but the usefullness of doing so is debateable.

And like oddz says. What if you get it wrong and make the wrong assumption based on ip addresses. You could be alienating legitimate users who in turn then could go and bad mouth you and a little while later you sit there wondering why the traffic on your site has dropped.

So, then, how do sites like SitePoint keep accurately track of Users and Monitor Their Online Behavior?


They don’t accurately track users and monitor their online behavior.

I’m sure SitePoint tracks my every move and post on this website.

Maybe that is all a secret, but I was hoping someone could share some insight into what technologies/approaches they use to keep SitePoint clean and working like it should.


Sitepoint is a glorified forum and article site. Thats pretty much all there is to it. Sure they can look for your IP address and unique cookies and even Etags but there is no 100% fool proof way to do what you are thinking they do. Sure, the forum might set and read cookies each time you go to a different page, article etc but thats the way the forum itself works, it doesn’t mean that sitepoint is intentionally tracking your every move. I’ve never seen any such claim on sitepoint either.

Don’t most large websites track where people are coming from and where they registered from and what pages they go to in order to fight Spammers?


As well as the REMOTE_ADDR option, there is, in some cases an X_FORWARDED_FOR option. While this one doesn’t always exist, it does sometimes get sent through when the user in question is behind a proxy server.

This allows you to seperate out multiple users hidden behind one single proxy.

~ 30 moderators (Advisors, Team Leaders and Admin) and Stop Forum Spam Now or Akismet; I’m not sure which, but one of two is enabled. Maybe even both?
Most work is done by the moderators though; sure having some spam filters helps and stops the most obvious spam, but most work is still manual.
Indicentially, Akismet is fairly easy to use in PHP, see

Some might attempt it but it doesn’t mean that they’re accurate. As mentioned previously, referrers can be forged along with ip addresses. Then you have to take into account proxy servers (X_FORWARDED_FOR in the _SERVER array IIRC) etc. Sometimes as cool as these features may be they’re not worth the hassle as it opens up a minefield. Let me give you an example: I’ve got a download script that allows me to control the download speed, monitor how many downloads are paused/completed, disconnect downloads, pause them etc. Sure, it’s technically very cool but it’s basically a script cycling inside a loop which when run multiple times will use far more resources than Apache serving the file. I still use it but I’m more than aware that it could be problematic.

Backing up for a moment…

As the owner of a new website on the WWW, what kinds of things should I be capturing and monitoring when it comes to visitors to my website?

My site has basic content, the ability to create a User Account, to log in and Comment on Articles, and to make purchases (i.e. e-commerce).

I suppose spam in my Comments section could be an issue, but I think I am also concerned about where visitors are coming from and what they are trying to do on my website…