Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reliability of PHP'S $_SERVER['REMOTE_ADDR']

Tags:

security

php

I'm building a site that is designed to be administered from localhost, but contains pages that expose data to internet or local network users. Can I rely on PHP's $_SERVER['REMOTE_ADDR'] as a secure/reliable way of identifying the user as localhost? Thanks!

Edit: To clarify, I am only concerned with determining whether or not the request originates from localhost (perhaps there is a better way).

like image 597
leo Avatar asked Jul 16 '11 03:07

leo


1 Answers

That variable is filled with data provided by Apache (or another web server daemon) and should be reliable in identifying the IP address on the other end of the connection, yes. Check for 127.x.x.x (almost always 127.0.0.1) and ::1 (for IPv6). As Senica says, it may not always exist (for example, when running from the command line rather than through the web server). But if it is filled, it should be reliable.

To be able to fake it, somebody already needs pretty extensive access to your network and system in a way that you can't protect against with PHP anyway.

like image 61
Steven Don Avatar answered Oct 15 '22 11:10

Steven Don