0

I've been looking around SO and found that, by using $_SERVER['REMOTE_ADDR'], you can get the client's IP address.

The problem is, if the client is using a Proxy, that value most likely won't be the client's real IP address.

Some people have suggested using both $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'], like in the accepted answer to this question: How to get the client IP address in PHP?

But the thing is, like most of the comments say, $_SERVER['HTTP_X_FORWARDED_FOR'] is very unreliable and can be easily edited by anyone.

So, what I want to know is, What is the best way to get the client's real IP address?

PS: I don't see how this question is a duplicate; In this question, I'm asking for ways beyond $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'], which were the answers to that similar question. I've also explained that the answer for that question is insufficient, as shown in the 4th Paragraph.

Community
  • 1
  • 1
Ma Chao
  • 25
  • 6
  • Sorry to answer the question with a question but why do you want the clients ip address? It's not a reliable way to track individual clients – andrew Sep 14 '14 at 15:12
  • 1
    As far as I know, it isn't possible – Jonan Sep 14 '14 at 15:15
  • Well, I need it so I can prevent clients from abusing a certain feature in my program. I need to know the client's IP so that I know who the client is, even if they make a new account on my program. – Ma Chao Sep 14 '14 at 15:22
  • If there were a way to get the real IP, it would be a bug in the proxy which the proxy would be obliged to fix. – Boann Sep 14 '14 at 15:25

1 Answers1

1

If the user uses an anonymous proxy, the proxy won't reveal their IP via the X-Forwarded-For header - that's the whole point of the anonymous proxy. That means that the request sent by the proxy on the behalf of the user does not reveal the IP address. If you want to detect the original IP, you hae three options:

  1. Sniff the incoming requests of the proxy server.
  2. Hack into the proxy server and read it's log.
  3. Get a court order for the proxy server's operators to reveal that IP for you.

The first two options are illegal. The third option is overly legal. None of them will help you get the original IP in real-time.

At any rate, even if you manage to find the "real" IP and block it, the users will still be able to disconnect their internet connection and reconnect it to get a new IP. This is the oldest trick in the book - even though it an Internet trick I won't be surprized to find it's older than the Internet itself...

Of course, that trick won't work if they use a public WiFi or something. But if that's the case, you'll block an entire University because one student abused your server when they used the public WiFi...

Idan Arye
  • 12,402
  • 5
  • 49
  • 68
  • So basically, if the user is using a Proxy, he becomes absolutely anonymous and "invincible" to getting his IP tracked, and there's no discovered way to find his real IP? I guess I'll go for #3 then ._. – Ma Chao Sep 14 '14 at 18:03
  • @MaChao You're actually gonna try and get a court order? Didn't you say that you need it for blocking abusive users? – Idan Arye Sep 14 '14 at 20:14
  • I was just kidding... xD Anyways, it's not to block abusive users, it's to prevent users from abusing a feature in my program, it's something that each person in the program should be able to do only once. – Ma Chao Sep 15 '14 at 09:41