Page 1 of 1

Validity of $_SERVER['REMOTE_ADDR']

Posted: Tue Aug 22, 2006 11:38 am
by Jenk
I did search, but came across a problem with searching as seen by my thread in suggestions..

I am seeking information on why we (as php developers) shouldn't trust $_SERVER['REMOTE_ADDR'], and using IP's in general.

I've got a few reasons, and have been asked to prove 'evidence' for one or two of them:

- some webservers do not pass this information to PHP, thus it is not available at all. (CLI installations do not have this variable for example)

- It can be spoofed. On a relative scale, a lot easier than spoofing packets. (this is what I am needing more info on)

- There are legitimate reasons for users not using the same IP everytime (dynamic IP's) and possible collisions with other users (proxies, traffic routing etc.)

Any info much appreciated :)

Posted: Tue Aug 22, 2006 11:51 am
by feyd
#2 is fulfilled via proxies, so to speak. Legitimate spoofing, but I consider it spoofing none-the-less. Actual spoofing simply involves adding code to your network layer or exploiting readily available tools. Granted, the tools are legitimate for security and networking professionals. It's easier to do this under non-Windows systems in my experience, but is still possible to do over Windows.

The major reason is #3, it is impossible (without help from the IP provider) to even possibly narrow down who the IP is. At best, filtering based on IP is only a bandaid and penializes legitimate users too much to be a "Good solution."

Posted: Tue Aug 22, 2006 11:59 am
by deleet
Discussing the last point of your post, there are inumerous reasons for users to have different IP addresses. A most common and simple example are free hostnames.

There are countless free hostnames on the internet so you will never be able to be certain that that hostname belongs to one user and one user alone. It can be shared easily with other people and / or can be a hostname of a LAN connection (where there are several computers)

Also, in case I have a dynamic IP address, I can have the IP 82.127.65.84 right now, but when I disconnect and my neighbour connects, there is a chance that he'll get the IP 82.127.65.84.

Those two reasons alone should be more than enough for you not to trust $_SERVER['REMOTE_ADDR'] for providing sensitive information, unless you control the environment of you application (such as a LAN where you know all of the IP's of every computer and that those cannot be changed). You can however use them for non-sensitive information such as logging, etc.

I do not know if it is possible to change the IP address provided to PHP in order to execute code or cause an exploit.

I don't know much about this but I hope this helps.

Posted: Tue Aug 22, 2006 12:44 pm
by Jenk
Thank you both very much :)

Posted: Tue Aug 22, 2006 5:12 pm
by volka
1) cli is not meant for webservers
http://de2.php.net/manual/en/features.commandline.php wrote:CLI which means Command Line Interface. As the name implies, this SAPI type main focus is on developing shell (or desktop as well) applications with PHP.
2) ...
3) e.g. see http://en.wikipedia.org/wiki/Wikipedia: ... OL_vandals