Getting Users Real IP address using PHP

Question

I want to get the real IP address from users going on my site even if they use a proxy website like hidemyass.com

This is the code I have and thought it worked but I tested it and it doesn't

<?php
function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}
?>

I thought this code would work but proxy still bypass it.

Thanks in advance.

If someone wants to hide their IP, what gives you the right to need to know it? — Skilldrick, Jan 13 '11 at 23:01
You could try blacklisting proxies, but that would be an enormous ongoing task ;-) — ChristopheD, Jan 13 '11 at 23:02

score 19 · Answer 1 · answered Jan 13 '11 at 23:00

19

There is no guaranteed way to get a "real" IP address, if the proxy doesn't want to tell you about it (and any true anonymous proxy won't).

answered Jan 13 '11 at 23:00

Amber

507,862
82
626
550

score 6 · Answer 2 · answered Jan 13 '11 at 23:00

You can't. The info you have is from apache/iis/whatever, and it only knows who is talking to your server, which in this case, is the proxy. Unless the proxy wants to send along that info in a header, then you won't get it.

X-Forwarded-For is the best you can do, but its not likely an anonymous proxy will send that.

score 5 · Answer 3 · answered Jan 13 '11 at 23:08

You can't get the "real" IP address for sure unless you implement some sort of authentication protocol at the application layer that encodes the IP address (which is also subject to spoofin).

Why is this?

Because the IP data packet can be rewritten arbitrarily by someone "in the middle" who has access to it. E.g., a proxy, router, gateway, etc.

An IP data packet has this structure

| stuff | src ip | dst ip  | stuff |
| ....  | 32-bits| 32 bits | stuff |

So src ip - those are just bits, remember - can be overwritten arbitrarily.

http://www.faqs.org/rfcs/rfc791.html will give more information.

score 2 · Answer 4 · answered Jan 13 '11 at 23:02

2

Unless the proxy puts the real ip address in the headers (common - depending on why the proxy is being used) (generally in some form of "X-something"), then you can only see the ip address of the proxy.

answered Jan 13 '11 at 23:02

James Butler

3,852
1
26
38

score 0 · Answer 5 · answered Sep 05 '14 at 11:36

Try this please

function get_IP_address()
{
  foreach (array('HTTP_CLIENT_IP',
               'HTTP_X_FORWARDED_FOR',
               'HTTP_X_FORWARDED',
               'HTTP_X_CLUSTER_CLIENT_IP',
               'HTTP_FORWARDED_FOR',
               'HTTP_FORWARDED',
               'REMOTE_ADDR') as $key){
    if (array_key_exists($key, $_SERVER) === true){
        foreach (explode(',', $_SERVER[$key]) as $IPaddress){
            $IPaddress = trim($IPaddress); // Just to be safe

            if (filter_var($IPaddress,
                           FILTER_VALIDATE_IP,
                           FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)
                !== false) {

                return $IPaddress;
            }
        }
    }
}
}

Getting Users Real IP address using PHP

5 Answers5

Linked

Related