0

I'm using $_SERVER['REMOTE_ADDR']; to get the IP of the visitors. I don't care if they are behind a proxy, VPN, etc; I need a measure of IP that can't be manipulated by the end-user.

For some users, $_SERVER['REMOTE_ADDR']; is not returning the right IP -- it is returning one of Google's IPs instead, such as 64.233.173.164.

I confirmed this by asking one user to check their IP by checking here and their IP turned out to be different than what $_SERVER['REMOTE_ADDR']; showed.

How is that possible?

UPDATE: I've talked to the specific user in question and he said he is NOT using Google Translate. Why else would a Google IP show in REMOTE_ADDR?

user4951834
  • 681
  • 2
  • 11
  • 26
  • 1
    may be they translate your page – Madhawa Priyashantha Apr 07 '16 at 03:50
  • Are you sure it is you user's IP. It may be one of google robots or something like that? – Mika Andrianarijaona Apr 07 '16 at 03:52
  • 1
    "I just need a measure of IP that can't be manipulated by the end-user." i can change my IP, im an end user. IP can never be used to reliably identify any one. hundreds of people can share a single IP –  Apr 07 '16 at 03:54
  • @FastSnail Ahhhh could be. Is it possible for me to detect IP past their translate pge? – user4951834 Apr 07 '16 at 03:55
  • @MikaA. It was not a Google robot. I know for sure it was a user. – user4951834 Apr 07 '16 at 03:55
  • @Dagon I don't care if you use a VPN or proxy. – user4951834 Apr 07 '16 at 03:56
  • @user4951834 if you know the user ask them did they use google translater – Madhawa Priyashantha Apr 07 '16 at 03:57
  • do you care if every page request i make uses a different IP? or if 100 visitors use a single IP? –  Apr 07 '16 at 03:57
  • @FastSnail On it. Is there any way for me to detect when a user uses Google Translate and somehow get their real IP instead of Google's? – user4951834 Apr 07 '16 at 04:01
  • @user4951834 i don't think you can get real ip if they use google translater or something like that .howevery you could detect it's coming from google – Madhawa Priyashantha Apr 07 '16 at 04:04
  • google translator is effectively a proxy in this case, which you dont care about - not that i'm sure what you do care about. –  Apr 07 '16 at 04:05
  • @FastSnail Anyway to detect it is coming from Google aside from manually collecting their IPs and keeping track of them? – user4951834 Apr 07 '16 at 04:09
  • @Dagon I care about allowing one transaction per IP. However, when people use Google translate, many people end up sharing the same IPs. I'm not concerned about other proxies / VPNs because people who use those proxies and VPNs know they are behind a proxy and VPN and turn it off when we tell them their IP has been used. Same isn't true for Google Translate users. – user4951834 Apr 07 '16 at 04:10
  • @user4951834 can you clarify it for me .i don't get it – Madhawa Priyashantha Apr 07 '16 at 04:11
  • @FastSnail I mean, I want to be able to display a message to people using Google Translate. Any way for me to detect when a user is using Google Translate? – user4951834 Apr 07 '16 at 04:12
  • 1
    one transaction per IP = for reasons i pointed out before this can never work. –  Apr 07 '16 at 04:13
  • @user4951834 read this [so question](http://stackoverflow.com/questions/27665531/how-to-find-googles-ip-address) .and also search for google ip range – Madhawa Priyashantha Apr 07 '16 at 04:14
  • @Dagon Please, just stop. I'm well aware of what I'm doing when I'm tracking IPs and why. I asked about why REMOTE_ADDR is showing what it is, not advice on why I shouldn't use REMOTE_ADDR. If you can't provide constructive help, stop trolling. – user4951834 Apr 07 '16 at 04:14
  • @FastSnail Thank you. I will look into this. I will also look into javascript to detect Google Translate. – user4951834 Apr 07 '16 at 04:16
  • @FastSnail Also, FYI, user says he wasn't using Google Translate when we detected the above-mentioned Google IP – user4951834 Apr 07 '16 at 04:17
  • @user4951834 i'm not sure why .my guesses are google se bots or translater or googles services .but if they don't use any of those i don't know . – Madhawa Priyashantha Apr 07 '16 at 04:20
  • im actually trying to help your just to stubborn to realize\understand it –  Apr 07 '16 at 04:24
  • Did you try this answer yet? http://stackoverflow.com/a/55790/1570534 – Hanky Panky Apr 07 '16 at 04:35
  • @FastSnail I know, this is very weird. I'm going to try and get more information out of the user. This isn't the only user this is happening to, though -- I am seeing a good number of Google IPs in our system. – user4951834 Apr 07 '16 at 04:39
  • @HankyPanky I cannot use the other options aside from REMOTE_ADDR because I don't want the user manipulating their IPs (outside of using proxy, VPN, etc.) – user4951834 Apr 07 '16 at 04:39

1 Answers1

3

I don't care if they are behind a proxy, VPN, etc;

You have to, if they are using a VPN, or a proxy, or NAT then $_SERVER['REMOTE_ADDR'] will contain that ip and not of the user, and that is what you're getting.

UPDATE: I've talked to the specific user in question and he said he is NOT using Google Translate. Why else would a Google IP show in REMOTE_ADDR?

That Google IP you have mentioned in your OP belongs to google-proxy-64-233-173-164.google.com which is the proxy that this visitor's computer or ISP is using

If you were to check HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP You would get that information

Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
  • What exactly would the user be using to get a Google IP, aside from Google Translate which he said he is not using? – user4951834 Apr 07 '16 at 04:40
  • That Google IP you have mentioned in your OP belongs to `google-proxy-64-233-173-164.google.com` which is the proxy that this visitor's computer or ISP is using. – Hanky Panky Apr 07 '16 at 04:42
  • So the ISP is using Google proxy in the backend? How can I reliably get `HTTP_CLIENT_IP` without risking the user simply changing it at their end? As I said, I don't care if they use a VPN or proxy, but I don't want them just cycling through IPs by simply changing their headers. – user4951834 Apr 07 '16 at 04:51
  • 1
    Unless your users are technically aware of what they are trying to break and use a client software which allows them to change request headers, this is not a problem. Can you tell me how would you change your client ip using chrome/ff/ie when you visit my site? IP is not a reliable indicator of an exact client anyway even if you manage to perfect it – Hanky Panky Apr 07 '16 at 04:53
  • Fair enough. What is prefered, `HTTP_CLIENT_IP` or `HTTP_X_FORWARDED_FOR` ? – user4951834 Apr 07 '16 at 04:56
  • I usually check `HTTP_X_FORWARDED_FOR` and `REMOTE_ADDR` together – Hanky Panky Apr 07 '16 at 04:57