Validity of $_SERVER['REMOTE_ADDR']
Posted: Tue Aug 22, 2006 11:38 am
I did search, but came across a problem with searching as seen by my thread in suggestions..
I am seeking information on why we (as php developers) shouldn't trust $_SERVER['REMOTE_ADDR'], and using IP's in general.
I've got a few reasons, and have been asked to prove 'evidence' for one or two of them:
- some webservers do not pass this information to PHP, thus it is not available at all. (CLI installations do not have this variable for example)
- It can be spoofed. On a relative scale, a lot easier than spoofing packets. (this is what I am needing more info on)
- There are legitimate reasons for users not using the same IP everytime (dynamic IP's) and possible collisions with other users (proxies, traffic routing etc.)
Any info much appreciated
I am seeking information on why we (as php developers) shouldn't trust $_SERVER['REMOTE_ADDR'], and using IP's in general.
I've got a few reasons, and have been asked to prove 'evidence' for one or two of them:
- some webservers do not pass this information to PHP, thus it is not available at all. (CLI installations do not have this variable for example)
- It can be spoofed. On a relative scale, a lot easier than spoofing packets. (this is what I am needing more info on)
- There are legitimate reasons for users not using the same IP everytime (dynamic IP's) and possible collisions with other users (proxies, traffic routing etc.)
Any info much appreciated