3

I'm trying to get the user ip address from a php contact form, i have the following code, but i want to know is it valid to use clean_string in this way to email myself the ip address?

<?php

session_start();




if(isset($_POST['fullname'])) {

include 'freecontact2formsettings.php';

function died($error) {
    echo "Sorry, but there were error(s) found with the form you submitted. ";
    echo "These errors appear below.<br /><br />";
    echo $error."<br /><br />";
    echo "Please go back and fix these errors.<br /><br />";
    die();
}

if(!isset($_POST['fullname']) ||
    !isset($_POST['Address1']) ||
    !isset($_POST['city']) ||   
    !isset($_POST['Postcode']) ||
    !isset($_POST['contactnum']) ||
    !isset($_POST['emailaddress'])







    ) {
    died('Sorry, there appears to be a problem with your form submission.');        
}
$ip = $_SERVER['HTTP_CLIENT_IP']; 
$ansb0_from = $_POST['fullname']; // required
$ansb1_from = $_POST['Address1']; // required
$ansb3_from = $_POST['city']; // required   
$ansb4_from = $_POST['Postcode']; // required
$ansb5_from = $_POST['contactnum']; // required
$ansb6_from = $_POST['emailaddress']; // required


$error_message = "";


$email_message = "PHP CONTACT FORM:\r\n";

function clean_string($string) {
  $bad = array("content-type","bcc:","to:","cc:");
  return str_replace($bad,"",$string);
}


$email_message .= "Forename: ".clean_string($ansb0_from)."\r\n";
$email_message .= "Address 1: ".clean_string($ansb1_from)."\r\n";
$email_message .= "City: ".clean_string($ansb3_from)."\r\n";
$email_message .= "Postcode: ".clean_string($ansb4_from)."\r\n";
$email_message .= "Contact Number: ".clean_string($ansb5_from)."\r\n";
$email_message .= "Email Address: ".clean_string($ansb6_from)."\r\n";
$email_message .="IP Address: ".clean_string($ip)."\n\n"; 











$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($email_to, $email_subject, $email_message, $headers);
header("Location: $thankyou");
?>
<script>location.replace('<?php echo $thankyou;?>')</script>
<?php
}
die();
?>

Also,

$ip = $_SERVER['HTTP_CLIENT_IP'];

is on the contact form script page, not the actual form.php which the user enters information on, i think thats where im going wrong right?

Thomas893
  • 31
  • 1
  • 1
  • 4
  • 1
    use this $_SERVER['REMOTE_ADDR']; – Vahid Farahmand Jan 31 '13 at 01:50
  • Side note - use `str_ireplace()` instead of `str_replace()` in your `clean_string()` function, for case-insensitive matching. But, +1 for being cognizant of email injection, which hardly anyone around here ever seems to be. – Michael Berkowski Jan 31 '13 at 01:51
  • ...unless it's `X_FORWARDED_FOR`. Have a look at phpBB's source code and locate how they get the user's IP (and check for proxies/etc.) – Brad Christie Jan 31 '13 at 01:51

2 Answers2

10

You don't want the IP in the form itself. That way it can be displayed, edited, and messed with. Instead, simply capture it server-side using:

$_SERVER['REMOTE_ADDR'];

Googling this question should by the way return half a billion results that are all valid. Just a quick reminder.

donohoe
  • 13,867
  • 4
  • 37
  • 59
OptimusCrime
  • 14,662
  • 13
  • 58
  • 96
  • @BradChristie: I took a closer look at the code now, and you're right. The title just confused me a little. His approch is correct if he uses the correct server-variable – OptimusCrime Jan 31 '13 at 01:55
1

You want to check for both $_SERVER["REMOTE_ADDR"] and $_SERVER["HTTP_X_FORWARDED_FOR"], as the latter may be necessary if a user is behind a proxy server.

You can read more here: https://stackoverflow.com/a/3003233/666468

Community
  • 1
  • 1
justacoder
  • 2,684
  • 6
  • 47
  • 78
  • Never rely on any proxy-forwarded-for header **unless you know who set them**. Any user can include this header in their request and spoof their IP. – deceze Jan 31 '13 at 01:57