my script looks first for below in priority then fetch the one which is set as user ip to log in db:
if (!empty($_SERVER[‘HTTP_CLIENT_IP’])) { //check ip from share internet
$ip = $_SERVER[‘HTTP_CLIENT_IP’];
} elseif (!empty($_SERVER[‘HTTP_X_FORWARDED_FOR’])) { //to check ip is pass from proxy
$ip = $_SERVER[‘HTTP_X_FORWARDED_FOR’];
} else {
$ip = $_SERVER[‘REMOTE_ADDR’];
}
As $_SERVER['HTTP_X_FORWARDED_FOR'] may have multiple , separated ips, I can check if it contains a , explode it and use the first ip as user ip, but what to do with the rest exploded ips? is it reasonable to just ignore them, or you suggest to add another column in user db as “additional_ips” and log the rest exploded ips into it?
Is it accurate? if yes, the code I gave in #1 above is more accurate the one I gave in #2? right?
I guess the one on the link is pretty nonsense and easy to spoof, and better just go with $_SERVER['HTTP_CLIENT_IP'] , $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['REMOTE_ADDR'] in priority?
what exactly it does? https://gist.github.com/cballou/2201933#file-get-ip-address-php-L44
what is private ip that it tries to invalidate? what about a visitor comes to a website with ipv6 and the website attempts to validate his ip with this function?! Is it a useful function at all?
The headers are easily spoofed and can’t be trusted. If you need to track the user you would be better off either creating a session or a cookie. Under some EU law (germany for example) you are not allowed the store the full IP address.
For shared IP’s you will want to use: HTTP_CLIENT_IP. Proxies MAY include the headers for : HTTP_X_FORWARDED_FOR, but again this can be spoofed.
Something like this would drill thorugh any available headers:
//shared ip:
if (!empty($_SERVER['HTTP_CLIENT_IP']))
{
return $_SERVER['HTTP_CLIENT_IP'];
}
//proxies, check is header has been set:
else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
return $_SERVER['REMOTE_ADDR'];
}
Alternatively, if you are just keeping the IP’s for analysis, you can get a lot of information from your servers logs. At the end of the day you could run a script that extracts the IP’s from your servers log files and inserts them to the database. Would mean less work for the server to do, and less to go wrong.