1

Two part question.

First when I try to echo the Ip address in a hidden input field my form stops submitting. I have jquery to validate some inputs and it all stops when the ip address is present in that field.

Secondly the Ip address I'm getting is not the one I find when I check in terminal. Why is my site, hosted through Godaddy, showing what looks like a proxy ip and not my machine ip?

Here's the code I'm using.

function ipCheck() {
    if (getenv('HTTP_CLIENT_IP')) {
        $ip = getenv('HTTP_CLIENT_IP');
    }
    elseif (getenv('HTTP_X_FORWARDED_FOR')) {
        $ip = getenv('HTTP_X_FORWARDED_FOR');
    }
    elseif (getenv('HTTP_X_FORWARDED')) {
        $ip = getenv('HTTP_X_FORWARDED');
    }
    elseif (getenv('HTTP_FORWARDED_FOR')) {
        $ip = getenv('HTTP_FORWARDED_FOR');
    }
    elseif (getenv('HTTP_FORWARDED')) {
        $ip = getenv('HTTP_FORWARDED');
    }
    else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    //$ip = str_replace('.','', $ip);
    return $ip;
}
Antti29
  • 2,953
  • 12
  • 34
  • 36
Alex Reynolds
  • 6,264
  • 4
  • 26
  • 42
  • Because you're behind a proxy? Because your gateway is using NAT? – Oliver Charlesworth Jun 08 '12 at 16:06
  • And we might need a little more information to answer the first question. Like, the HTML for the field that the IP address is in, how it's being populated, and how it's being validated. – andrewsi Jun 08 '12 at 16:10
  • IP on your machine in local network not equals your router's IP (which is used when you browse the Internet), my friend. – Ruslan Osipov Jun 08 '12 at 16:12

1 Answers1

2

Your code is allowing any caller to specify whatever IP address they want (aka IP spoofing).

All an attacker has to do, is make requests with an added HTTP header such as X-Forwarded-For: 123.123.123.123.

This code decreases your security, to the point where I could pretend I am localhost (127.0.0.1) or "Santa Clause", since those values are not validated to contain an actual IP address.

Also note that, for example, the X-Forwarded-For HTTP header can contain multiple IP address, not just one (separated by comma).

$_SERVER['REMOTE_ADDR'] is your only option.

oxygen
  • 5,891
  • 6
  • 37
  • 69
  • Thanks. I noticed that my IP came back as the one assigned by Quest and not the one I see in ifconfig. This is due to my local IP not being the router IP. It works to block users in htacccess but sadly if they change routers, it won't stop them. Thanks for the help. More secure the better. – Alex Reynolds Jun 26 '12 at 17:39
  • Useful Q/A about `$_SERVER['REMOTE_ADDR']`: http://stackoverflow.com/q/4773969/186636 – Peter Ajtai Sep 14 '12 at 19:58