assuming that php is running in web mode via cgi / mod_php / etc...
is it safe to assume that $_SERVER['REMOTE_ADDR'] will exist, and further more, that it will contain a correctly stylized (sorry, terminology may be off here...) ip (1.1.1.1 -> 255.255.255.255?)?
this is not a question regarding weather the ip contained inside $_SERVER['REMOTE_ADDR'] will be a the true ip of the client making the request, as i do understand this can be 'spoofed' by modifying the outbound tcp packets...
just simply:
a) will $_SERVER['REMOTE_ADDR'] always exist if php is ran in web mode. b) if $_SERVER['REMOTE_ADDR'] does always exist, will it always contain a properly syntaxed ip?
thanks.
$_SERVER['REMOTE_ADDR'] Returns the IP address from where the user is viewing the current page. $_SERVER['REMOTE_HOST'] Returns the Host name from where the user is viewing the current page.
For your question on “$_SERVER['DOCUMENT_ROOT']”, this display where the website's root is. An easy example is the include function. If you use the include function in a directory, the included file either has to be in the same directory or found using '..' which can be messy.
Any $_SERVER variable can be spoofed - e.g. curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip")); So it depends entirely on the context: if the attacker is expecting a response, it will go back to $ip. If they don't care about the response, they can certainly spoof the header.
Yes, it is always present in web mode, and since the IP address is converted from its binary representation to the textual format you're seeing, it is always valid – there is no way to specify an invalid IP in the IP header.
One more thing: Don't assume any special format unless you absolutely must deal with IP addresses. For example, IPv6 addresses are longer and contain different characters. Basically, deal with IP addresses as an opaque string.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With