reliability getting ip address through code

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
mparker1113
Forum Commoner
Posts: 28
Joined: Wed Apr 05, 2006 9:39 am

reliability getting ip address through code

Post by mparker1113 »

Hi,

I found this code for getting a client's ip address:

Code: Select all

if (getenv(HTTP_X_FORWARDED_FOR)) 
{
  $ip = getenv('HTTP_X_FORWARD_FOR'); 
  $host = gethostbyaddr($ip); 
} else { 
   $ip = getenv('REMOTE_ADDR'); 
   $host = gethostbyaddr($ip); }
So, I tried it out on my system, and both of my computers that are connected to my router returned the same address. So, I removed the router from the DSL modem, and linked directly through the modem -- still getting the same ip address, which is not the address that I get from ipconfig at the command prompt.

I want to know if I am getting an actual ip address from my location, or an address which merely locates my isp. Because, I want to be able to know when a person logs in more than once, but not when an ISP does.

Any input would be very revered.

Thank you,

Mike
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

You cannot reliably get the ip address of users. Whether it is NAT, or proxies, or other items, IP addresses do not have a reliable relationship to the users.

Check my sig. :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I agree with Roja. It's not reliable information. I use code similar to what you posted in that it checks for the FORWARDED header but the only place I actually use IP address check is in statistics gathering for things like hit counters and other traffic analysis. I wouldn't rely on an IP address if it was critical to the design of an authentication system or such like... it I mean, the forwarded value can easily be spoofed, or not passed at all.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: reliability getting ip address through code

Post by timvw »

mparker1113 wrote: Because, I want to be able to know when a person logs in more than once, but not when an ISP does.
How would you define a 'person'? And how is it modelled in your system?

Only when we know this, we can start giving you suggestions for the identification of these 'persons'...

(Eg: two people that share a computer, are they the same person in your model?)
mparker1113
Forum Commoner
Posts: 28
Joined: Wed Apr 05, 2006 9:39 am

Post by mparker1113 »

The purpose of my locating when someone has already logged in is for a customer whose has recipes posted on their site which are specific for their product. They want for users to be able to post ratings/reviews for recipes. I will store the reviews in a database, and if I stored the corresponding ip address, I could make reasonably sure that people were not trying to "hack the results." I am not going to force log ins, as that is not what this site is looking for, just want to put some kind of net in place to see if they are voting more than once for the same recipe. (Of course, they can vote as many times as they would like as long as they are reviewing different recipes)

I suppose I might have to go to cookies for this.

What says you ?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

OK, look at it this way. An association may have 1000 computers hooked up to the internet but they only have 1 external IP address you can see. Two people log onto your site, they are both the same person if all you're going by is an IP.

In my house, we have three computers, all connected to a router. We are all the same person.

Using cookies/sessions could perhaps be used in some way yes, although again this could probably be worked around easily.

Without an actual set of fixed credentials to identify a "person" (i.e. username/password) this is not going to be reliable. I wonder what use cookies could be here? :)
Post Reply