IPv6 to IPv4 or How This Really Works in PHP

Hi

IPv6 address is nothing like IPv4 because it changes daily not like IPv4 address. So how is it possible to check my db for users with the same IP address or set limits for one IP if it changes everyday anyways.

$ipv6 = $_SERVER['REMOTE_ADDR'];

SO the only option would be if the IPv6 address can be converted to IPv4 IP address and it returns always the same, despite IPv6 different values (shows the real ip, like we have used to in old days), is this logical at all, how these IP’s protocols work?

Is it possible to convert it or how PHP identifies the same user if not IP? Or can I retrieve IPv4 and IPv6 both address with PHP.

Thank you

1 Like

Can I ask what you use the IP address for in any case? If it’s to identify a user, how does that work if your users come from a business (or other group of users sharing a connection) via a NAT router, where potentially hundreds of users would show the same IP address?

I don’t believe there’s a way to “convert” an IPV6 address to IPV4, they’re different protocols - a user might have IPV6 enabled/installed but not IPV4, for example. Does IPV6 “change daily”, how is that different to a user with an IPV4 dynamic address assigned by DHCP each time they connect? Surely that could change just as often?

1 Like

The IP is a good way to make time limits like in one hour user can create 2 accounts not 50 accounts, also good way to know the users location country. IP is the best way to block SPAM, Internet is full of SPAMM-ers!

My router has both IPv4 and IPv6 address (both protocols are enabled, if I disable IPv4 I am not able to visit many sites that don’t support IPv6, BTW Google and FB support it), My IPv4 never changes(hasn’t changed in some months) but my IPv6 changes daily, like yesterday I got different IPv6 IP address.

Some IPv6 IP access to app(IPv6 site support enabled servers) that saves your secure IP admin login and tomorrow blocks me because my IP changed, pointless of making IP access with IPv6. I got another server that doesn’t support IPv6, so the IP access works nicely, but I want to support IPv6 so, before I can do this I need to be smart about it, anyways the IPv6 is the future, and programmers should understand it.

IP is also used by the server statistics of unique 24h visitors, SO if IPv6 changes daily it still works, or some how less accuracy…mh…

Thank you

I would suggest you not to block a user based on IP if you want to block spammers. I suggest setting a $_SESSION with the current time. Then on the form processing page, check to see if that time has passed a certain time such as 2 minutes or 5 minutes. Blocking an IP because you don’t want spammers isn’t good.

No need for further reading: IP does not and never had anything to do with “users”, it was not intended for authentication, and not implemented that way - at least your problem verifies that! @droopsnoot already mentioned some technical backgrounds, even your ISP does not know anything about “users”, the only binding is IP ↔ contract-partner. most end-point devices proof this fact, 'cause they are routers - just type this in for further research and let off your fantasy, this only comes from your technical misunderstanding.

BTW: my IPv4 changes at least daily, it changes even when i reset my router!

PS: IPv6 is made for anonymous connections via privacy extensions: if i load your website i can get the HTML, the CSS, the JS, and all the images all by different IPs - and that’s actually done in some mobile networks by the ISP on v4! And no, you can not “convert” them, v4 and v6 are totally independent and do not relate in any way.

1 Like

If you think about it, there’d be no advantage to having v6 if you could always “convert” it to a single v4 address, it wouldn’t give any additional address space. Unless you assume it would convert many v6 addresses to a single v4 one, in which case it wouldn’t help the OP.

Not all connections works in the same way. In the UK, for example, some ISPs will give you a static IP for no extra monthly charge, some will do it for a charge, and some won’t do it at all. Basing your development solely on your own personal experience can sometimes lead to problems.

I have had similar discussions with people I worked with, who figured that IP is the best way to identify a “user”, and it isn’t as soon as you get away from a single connection per user. Even your home Wi-Fi connection might have three people using it (leaving aside neighbours who might be on it that you didn’t plan for), each with two or three devices, all reporting the same IP to your web site. How do you decide whether that’s the same user on the same device, or the same user on a different device, or a different user? You can’t, by IP.

So chorn I understand that you say that forget monitoring IP’s because there is nothing you can do, but I don’t agree with you at all:

Ok, many sites terms say that only one account per user is allowed(example Facebook), but in reality they can’t check it, this just means that you can have limitless accounts if you use different names.

Anyways you still can use IP to check some way attacks and to improve some abusive behavior. Behavior like 50 accounts created by this IP in 10 minutes, this is not logical, it’s abuse. So you can suspend account creation for an hour or so from that IP. You can still use IP in that matter, but yes in long run you can’t.

(Personally)You can use IP for your own improvements in security, if using for accessing your admin controls, I can keep IPv4 address in place, but with IPv6 I can’t!, so IPv6 less secure in that manner.

And by DOS attacks they filter out IPs and no-one cares if there is only one person attacking(abusing ISP) using the same IP-s(even in larger range) we still need to block/limit everyone who uses that address. This is the most effective option people have to prevent abuse.

You can use IP address to block short term abuse behavior but in long term you may not.

If I got something wrong, please feel free to correct me.

Thank you

Or, it’s someone in a large corporation finding your site, really liking it, sending a message to other people in that corporation, and those people also really liking it and trying to sign up. And then your site looks like it’s buggy, or crashed, and they lose interest and go somewhere else.

You can restrict your own admin access to make sure only connections from your static IP will get on, that’s true. That’s a lot different to assuming everyone else has the same IP behaviour that you do, and will only be a problem when you’ve got a site issue that you need to fix right now, and can’t access it from where you normally access it.

1 Like

The fundamental mistake you are making is assuming that there is only one way to assign ip addresses. You are assuming that because your IPv4 does not routinely change and that your IPv6 does that everyone’s addresses follow the same pattern.

This is not the case. You can control address assigning to the point where your addresses never change (v4 or v6) or they can change on every request. Or anywhere in between. It’s easy enough for a potential spammer to change their ip address after creating each account.

So just be aware that you may run into issues depending on how widespread your app ends up being used.

1 Like

I find that with any approach taken a balanced compromise is the best that can be achieved.

That is I have found no way to “let all innocents through and stop all spam bots”.

I think rate limiting can work well for some things.
You don’t want to use it for accessing a site, but for registrations, posting, form submission, it might be a viable approach.

In the past I’ve found that blocking anonymous proxies worked well (key word “anonymous”, not “proxy”)
I don’t know if or how that would work with IPv6, but if it does it might be an approach worth looking into.

1 Like

Thank you for the replies.

The main issue here for me is that if IP changes too often, I can’t limit my admin access to my router with IPv6. In this case it’s all about my ISP and my IPv6 and my admin panel, IP is like extra password for me.

It makes my admin controls less secure, or I need to think about some alternative system for my IP issue, I don’t know how IP range works with IPv6, IPv4 was much more comfortable than any alternative solution I can think of. Anyways I need to go over to IPv6 some day.

Mittineague “balanced compromise” I like how you say it, I completely agree with you.

Thank you

You honestly don’t need to have access to your admin panel via IP at all. In fact, this is bad practice. This isn’t the 90’s anymore. Admin panels should be updated in today’s world because I still see admin panels with separate URL access point. This isn’t secure anymore. More than half of spam/ spider bot’s look for /admin/ and most likely will find these kinds of folders if people still use this kind of style from the 90’s. It’s 2016 so I propose combining the admin panel with a user level system. If the user level does not match an admin level, instead of redirecting the user, give them a 404 error page along with a 404 header so the user or spam/ spider bot will think that that page doesn’t actually exist.

I use MVC so in my application, I made it so that /admin/ actually doesn’t exist on the actual server and any request targeting /admin/ will use that setup. Basically falsifying the URL to avoid any security leaks. Then, if it ever happens (slim chance with a strong password system) with someone guessing or doing Rainbow Tables on the admin account, their page visits get tracked and inserted into the database. This statistic will never be given to anyone even the admins. The only person who would have access to these records is whoever has access to the database whether it’s through phpMyAdmin or mysql’s command line.

So the only thing I see of use from IP is to determine if they are offenders. Other than that, blocking IP address should be limited to a minimum since tons of people use the same network.


You also seem to ignore my session suggestion above. Can I ask why? This is one of the many ways to stop someone from spamming 50 accounts in nearly 5 minutes since it’s time based and will force the user to wait x amount of minutes before they can create a new account again.

1 Like

IP is comfortable. Security is not. Use VPN or SSH.

@spaceshiptrooper i don’t see any benefit by that (except for stopping script kiddies). I can get as much Sessions as i want across several ‘browsers’ and delete my Cookies after each registration.

1 Like

I said it’s one of the many ways to. You can also do this with storing the time in a .txt file and checking it that way as well and then delete that file once the time has passed x amount of minutes. And yes, you can always run multiple browsers and fill out the form multiple times, but it doesn’t stop script kiddies, it actually stops spam bots. Since they can submit forms in seconds, the time that you set for this setup will potentially stop them by a lot. IP SHOULD NEVER be used to block users. So many people share the same network and if you block an IP, then you are blocking everyone else who didn’t do anything. So are you saying that you rather lose customers trying to use your IP block or would you rather find ways to block spams?


Also, if you are going to say use captchas. Then no. Captchas don’t stop spams. Google’s noCaptcha ReCaptcha doesn’t stop spams at all. I remember once I was on a different forum and I said captchas shouldn’t be used and someone was saying that they are “good”. Then not even a second later, a spam bot gets into their website and starts spamming topics about selling viagra and crap. It made me laugh so much because that user was super ridiculously confident in their words.

So no. Captchas like Google’s noCaptcha ReCaptcha and any other captchas like image captchas only annoy legitimate users. So rather than being a developer, you now put stress on your users. And there are a large portion of users who would NEVER go near websites that have those kinds of captchas.

1 Like

Yeh Captchas I really hate that, I have done a lot of captcha solving. so annoying… I Hate it so much, because most are unreadable and take too much time to solve them, there are thousand of ads and after that there is a captcha, cool. So on my site I don’t use it anymore. Yeh the IP stays the best alternative to block spam for me at least, as much as I realize that scenarios like @droopsnoot are very unlikely ever happening, programming is all about logic’s, if you are able to create a smart algorithm using IP it will not block good people. Session as described…mh…

I currently use admin access, if someone has different IP, he will be redirected back to main page (nothing there), If the IP is right you see the login panel. I also came up with another good system, I can manually add code to the admin url(Like hidden admin URL “Lwhateverw!9”) that will make it visible, works like second password. But if someone would hack my PC he will probable find that from my bookmarks…mh…

“the 90’s thing”?

Ah what VPN lol, I just make everything public for everyone?

“Security through obscurity” - the hope basically that no-one will figure out what your hidden admin URL is. At the very least password protect it and make it time or date dependent. Or make the url time and/or date dependent, and do the same for the password.

Well, there’s clearly no convincing you otherwise, that’s for sure.

That just depends. I don’t know what kind of site you’re writing, and who your target audience is going to be. I just put that up as one reason that you might legitimately expect a sudden influx of connections from the same IP address that wouldn’t be an attack. For your specific target audience, that might be very unlikely. Only you can judge.

1 Like

As long as you prefer to keep your complete misunderstanding of technical backgrounds, while everybody else unveils your lack of basic knowledge in terms of security (1) with the most basic every-day scenarios, i don’t see any reason or any chance for any real discussion.

(1) can’t get the link between public and virtual private networks. even Wikipedia mentions authentication.

I don’t think you understand the basics of security at all. What you are proposing has already been done and has proven of no use. I too thought the same way back when I was green. But I saw that what I was doing was not safe at all. I understood when one of my free hosting accounts got hacked because of something I did not see. Some that only amateurs or beginners could not see. So I dropped everything I had and started reading about how to make everything safe. How NOT to repeat the past. So I started reading up on up-to-date articles. Made myself aware of what I am doing. Tested each code that I think I know what it does. And now I do more research rather than just out everything live and don’t test it.

What you need to understand is that IP addresses are meant for information. It isn’t meant for protection against spams. A large portion of IP addresses change daily because they are dynamic. Only way to get a static IP address is if you ask for it or your ISP accidentally gives you one. But most likely, it’s a dynamic IP. So that being said, your IP will change frequently and you will lose your old IP address. What if you already had a live version up and running and your IP isn’t the same anymore? You probably will say “I will just manually change it then.” But how frequent are on updating a single file honestly? Not a lot of people care to take the time to go through their code so what makes you “think” you will go through your IP Block system and update the IPs in there? The worse case scenario, someone has your old IP and can now access your almighty IP based admin panel and you keep getting redirected for some reason he had your new IP isn’t the same as the old one.

Thank you

About admin controls. Ok you suggest that the best security system is that you need to first login to regular user account(with admin level), after that you can access the real admin panel and login (you can add extra IP security to this also), so the 2 account system is 2016 way?.There is no problem for me to log into mysql db and make changes, example if my ip changes, I got steady IPv4 address, last ip I had for 4 years. Also the top hosting companies in IT country like me use IP’s effectively in every case. But you talk that don’t use IP’s they are security risk, some cases you don’t have the possibility to use 2 account system. Anyways making your app super secure so that hackers don’t try it and start hacking your hosting provider directly?

@chorn you talk about something that have different meaning to me, but if you talk is more server side, please explain yourself what you mean with your VPN(virtual private network?) or SSH systems.

I have no idea why you believe IP based login system is safe at all. It seems your convinced that it’s going to block everything and keep you safe. I honestly don’t think you understand a single thing about IP at all. I’m guessing you are just going to ignore the fact that this system is flawed. If someone comes over to your house and uses your internet, they already will be able to get into your system without anything blocking them.

And you are also deeply misunderstanding how the system I have in place works. It’s not as flawed as your IP based login system. In my system, anyone can log into their account. Admin accounts are synced into a regular login. So you only need to log in once. Anything that is admin based, no other user can see. So if they were to try and access /admin/, even if they were logged in or not. They would see a 404 error page. If they were a bot and tried to use CURL, they will still get a 404 error page. The only way to see an admin panel is to be an admin yourself. Accessing a random admin URL such as /admin.php or /admin/ or /panel/admin/ will lead you to a 404 error page IF you are not an admin. This kind of falsifying helps keep unwanted users out.

What you are proposing as your IP based system “idea” is something that is very flawed. Say you go through with this and you block all IP address except your own. Now again, what if an attacker uses your own internet and gets into your IP based system, what now? Are you just going to keep ignoring everything everyone has said thus far and stick with your flawed IP based system? Or are you going to take action and change your views on this topic?

Either way. It’s too late for you.


Anyways, I’m not going to try and convince someone who has their mind set up on something that they have no clue about. Even the title speaks for itself.