Is $_SERVER['REMOTE_ADDR'] trustworthy?

Question

Possible Duplicate:
What is the most accurate way to retrieve a user's correct IP address in PHP?
Is $_SERVER['REMOTE_ADDR'] always isset()?

Well, I'd like to know if $_SERVER['REMOTE_ADDR'] always contains the IP of the transmitter of the http request? Never mind if it's a proxy, a vpn or the real client IP, does this var always contain a valid IP address, or is it alterable in any manner by the client?

Yes, it can be faked. However, it's not trivial. See http://stackoverflow.com/questions/5092563/how-to-fake-serverremote-addr-variable#5092951 — Rob, Aug 31 '12 at 20:15

score 3 · Accepted Answer · answered Aug 31 '12 at 20:10

3

It will always contain the IP address of where the request came from according to the server receiving the request.

Meaning: if the request came from a computer behind a firewall/NAT/proxy, the content will be that of the firewall/NAT/proxy.

answered Aug 31 '12 at 20:10

Brendan

3,415
24
26

Is $_SERVER['REMOTE_ADDR'] trustworthy?

1 Answers1