Page 1 of 1

PHP Contact Form Capture source/Real IP of Visitor behind

Posted: Sat Mar 20, 2010 9:44 am
by dingi
I have a working contact form in PHP with IP address also being sent along with the user filled data via email. I used the following code:
$userip = ($_SERVER['X_FORWARDED_FOR']) ? $_SERVER
['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
$message .= "\n\nUser's IP: ". $userip;
This code is in my "form.php".The form.php calls "processor.php on form submit.
The above code sends the IP address but not the real/source IP of the visitor who is surfing anonymously by a proxy server. I tested it myself by using a free proxy server (free4proxy dot com)and the contact form result shows only the Proxy IP. Since I don't know PHP etc... I am very much in need of help from this forum. I am receiving several mails that are suspicious. Please help me. Thank You.

Re: PHP Contact Form Capture source/Real IP of Visitor behind

Posted: Sat Mar 20, 2010 1:40 pm
by Bind
your code is accurate.

your issue is NOT the source code.

The issue is the type of proxy server the visitor connects through.

If the proxy server is an "elite" proxy server or PHProxy, it will NOT pass on the originating IP of the visitor, but instead the proxy IP.

If the visitor uses an "elite" proxy or PHProxy, there is no way to obtain the visitors IP without contacting the proxy owner and attempting to negotiate with them to obtain that information from their logs.

If your concern is spam-related or form-hijacking, use a challenge/response system (like CAPTCHA or RE-CAPTCHA) or a sessions-based ticket system to prevent automation through your form.

Neophyte webmasters often spend way to much time concerned about visitors ips instead of simply being happy there site is popular enough to receive regular traffic, which takes away from productive development time. Personally, I ignore them unless they are attempting to affect the stability of the service I am providing. It's easy to simply ban offending IP's and use a security class to limit flood attempts (session-based request time checks).