Setting Fake/local IP address To PHP $_SERVER variable

Question

I'm using following function on my PHP site to get visitors IP

function getClientIP(){       
 if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)){
        return  $_SERVER["HTTP_X_FORWARDED_FOR"];  
 }else if (array_key_exists('REMOTE_ADDR', $_SERVER)) { 
        return $_SERVER["REMOTE_ADDR"]; 
 }else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
        return $_SERVER["HTTP_CLIENT_IP"]; 
 } 

 return '';}

As I was not using any filter or validation on IP address earlier, few days back in our IP address column I have received some random strings (e.g. $IP_array) instead a valid IP address. And I think that request was sent using PHP script, I have tried several ways to spoof IP for my own site but each time a got my original IP or IP assigned VPN how it's possible to get some string instead IP.

Answer 1

you can try this:

<?PHP

function getUserIP()
{
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $remote  = $_SERVER['REMOTE_ADDR'];

    if(filter_var($client, FILTER_VALIDATE_IP))
    {
        $ip = $client;
    }
    elseif(filter_var($forward, FILTER_VALIDATE_IP))
    {
        $ip = $forward;
    }
    else
    {
        $ip = $remote;
    }

    return $ip;
}


$user_ip = getUserIP();

echo $user_ip; // Output IP address [Ex: 192.168.1.150]


?>