如何在PHP中获取客户端IP地址_Php_Environment Variables_Ip Address

如何在PHP中获取客户端IP地址

php

如何在PHP中获取客户端IP地址,php,environment-variables,ip-address,Php,Environment Variables,Ip Address,如何使用PHP获取客户端IP地址我想保留通过其IP地址登录我的网站的用户的记录。它应该包含在$\u服务器['REMOTE\u ADDR']变量中。$\u服务器['REMOTE\u ADDR']可能实际上不包含真实的客户端IP地址，因为它将为通过代理连接的客户端提供代理地址，例如那可能不过，我们会成为你真正想要的，这取决于你对IPs做了什么。某人的专用RFC1918地址可能对您没有任何好处，如果您试图查看您的流量来自何处，或者记住用户上次连接的IP，代理或NAT网关的公共IP可能更适合存储在何

如何使用PHP获取客户端IP地址

我想保留通过其IP地址登录我的网站的用户的记录。

它应该包含在

$\u服务器['REMOTE\u ADDR']

变量中。

$\u服务器['REMOTE\u ADDR']

可能实际上不包含真实的客户端IP地址，因为它将为通过代理连接的客户端提供代理地址，例如那可能不过，我们会成为你真正想要的，这取决于你对IPs做了什么。某人的专用RFC1918地址可能对您没有任何好处，如果您试图查看您的流量来自何处，或者记住用户上次连接的IP，代理或NAT网关的公共IP可能更适合存储在何处

有几个HTTP头，如

X-Forwarded-For

，可以由各种代理设置，也可以不设置。问题是，这些只是HTTP头，任何人都可以设置。他们的内容不能保证

$\u SERVER['REMOTE\u ADDR']

是web服务器从中接收连接并将响应发送到的实际物理IP地址。其他任何信息都是随意的和自愿的。只有一种情况下您可以信任此信息：您正在控制设置此标头的代理。这意味着只有当你100%知道标题的位置和设置方式时，你才应该注意它的重要性

话虽如此，下面是一些示例代码：

if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
    $ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}

编者按：使用上述代码具有安全含义。客户端可以将所有HTTP头信息（即，

$\u服务器['HTTP…

）设置为它想要的任意值。因此，使用

$\u服务器['REMOTE\u ADDR']

更可靠，因为这不能由用户设置

$ip = $_SERVER['HTTP_CLIENT_IP'] ? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);

发件人：

答案是使用变量。例如，

$\u服务器[“远程地址”]

将返回客户端的IP地址。

无论您做什么，请确保不要信任从客户端发送的数据。

$\u服务器[“远程地址”]

包含连接方的真实IP地址。这是您可以找到的最可靠的值

但是，它们可以位于代理服务器后面，在这种情况下，代理可能已经设置了

$\u服务器['HTTP\u X\u FORWARDED\u FOR']

，但是这个值很容易被欺骗。例如，它可以由没有代理的人设置，或者IP可以是代理后面LAN的内部IP

这意味着，如果要保存

$\u服务器['HTTP\u X\u FORWARDED\u']

，请确保还保存

$\u服务器['REMOTE\u ADDR']

值。例如，通过在数据库的不同字段中保存这两个值

如果要将IP以字符串形式保存到数据库，请确保至少有45个字符的空间。并且这些地址大于旧的IPv4地址

（请注意，IPv6通常最多使用39个字符，但也有一个特殊的字符，其完整形式最多可使用45个字符。因此，如果您知道自己在做什么，可以使用39个字符，但如果您只是想设置并忘记它，请使用45个字符）。
我喜欢此代码段：

function getClientIP() { if (isset($_SERVER)) { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) return $_SERVER["HTTP_X_FORWARDED_FOR"]; if (isset($_SERVER["HTTP_CLIENT_IP"])) return $_SERVER["HTTP_CLIENT_IP"]; return $_SERVER["REMOTE_ADDR"]; } if (getenv('HTTP_X_FORWARDED_FOR')) return getenv('HTTP_X_FORWARDED_FOR'); if (getenv('HTTP_CLIENT_IP')) return getenv('HTTP_CLIENT_IP'); return getenv('REMOTE_ADDR'); }

这是我使用的方法，它验证输入：

我最喜欢的解决方案是Zend Framework 2使用的方式。它还考虑了
$\u服务器
属性
HTTP\u X\u转发
，
HTTP\u客户端(IP)
，
远程(u ADDR)
，但它声明了一个类来设置一些受信任的代理，并返回一个IP地址而不是数组。我认为这是clo提供的解决方案同意：

class RemoteAddress { /** * Whether to use proxy addresses or not. * * As default this setting is disabled - IP address is mostly needed to increase * security. HTTP_* are not reliable since can easily be spoofed. It can be enabled * just for more flexibility, but if user uses proxy to connect to trusted services * it's his/her own risk, only reliable field for IP address is $_SERVER['REMOTE_ADDR']. * * @var bool */ protected $useProxy = false; /** * List of trusted proxy IP addresses * * @var array */ protected $trustedProxies = array(); /** * HTTP header to introspect for proxies * * @var string */ protected $proxyHeader = 'HTTP_X_FORWARDED_FOR'; // [...] /** * Returns client IP address. * * @return string IP address. */ public function getIpAddress() { $ip = $this->getIpAddressFromProxy(); if ($ip) { return $ip; } // direct IP address if (isset($_SERVER['REMOTE_ADDR'])) { return $_SERVER['REMOTE_ADDR']; } return ''; } /** * Attempt to get the IP address for a proxied client * * @see http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10#section-5.2 * @return false|string */ protected function getIpAddressFromProxy() { if (!$this->useProxy || (isset($_SERVER['REMOTE_ADDR']) && !in_array($_SERVER['REMOTE_ADDR'], $this->trustedProxies)) ) { return false; } $header = $this->proxyHeader; if (!isset($_SERVER[$header]) || empty($_SERVER[$header])) { return false; } // Extract IPs $ips = explode(',', $_SERVER[$header]); // trim, so we can compare against trusted proxies properly $ips = array_map('trim', $ips); // remove trusted proxy IPs $ips = array_diff($ips, $this->trustedProxies); // Any left? if (empty($ips)) { return false; } // Since we've removed any known, trusted proxy servers, the right-most // address represents the first IP we do not know about -- i.e., we do // not know if it is a proxy server, or a client. As such, we treat it // as the originating IP. // @see http://en.wikipedia.org/wiki/X-Forwarded-For $ip = array_pop($ips); return $ip; } // [...] }
请参见此处的完整代码：
下面是一个更清晰的代码示例，它是获取用户IP地址的好方法

$ip = $_SERVER['HTTP_CLIENT_IP'] ? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
以下是使用elvis运算符的较短版本：

$_SERVER['HTTP_CLIENT_IP'] ? : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? : $_SERVER['REMOTE_ADDR']);
这是一个使用isset删除通知的版本（谢谢@shasi kanth）：
像下面这样

if (($ip=filter_input(INPUT_SERVER, 'REMOTE_ADDR', validate_ip)) === false or empty($ip)) { exit; } echo $ip;

PS

所有以“HTTP_uu”或“X-”开头的头都可能被欺骗，这两个头分别是用户定义的。如果您想跟踪，请使用cookies等。
以下是我发现的最先进的方法，我过去也尝试过其他方法。确保获取访问者的IP地址是有效的（但请注意，任何黑客都可能轻易伪造IP地址）
函数get\u ip\u address（）{ //检查共享Internet/ISP IP if（！empty（$_服务器['HTTP_客户端\u IP']）和&validate_IP（$_服务器['HTTP_客户端\u IP']））{ 返回$_SERVER['HTTP_CLIENT_IP']； } //检查通过代理的IP地址 if（！empty（$\u服务器['HTTP\u X\u FORWARDED\u FOR']））{ //检查var中是否存在多个IP地址 if（strpos（$_服务器['HTTP\u X\u转发给']，'）！==false）{ $iplist=explode（“，”，$”服务器['HTTP\u X\u FORWARDED\u FOR']）； foreach（$ip列表为$ip）{ 如果（验证ip（$ip））返回$ip； } } 否则{ 如果（验证ip（$\u服务器['HTTP\u X\u FORWARDED\u FOR']））返回$_服务器['HTTP_X_FORWARDED_']； } } if（！empty（$_服务器['HTTP\u X\u转发]）&验证\u ip（$_服务器['HTTP\u X\u转发]））返回$_服务器['HTTP_X_FORWARDED']；如果（！empty（$_服务器['HTTP\u X\u集群\u客户端\u IP']）和验证\u IP（$_服务器['HTTP\u X\u集群\u客户端\u IP']））返回$_SERVER['HTTP_X_CLUSTER_CLIENT_IP']； if（！empty（$_SERVER['HTTP\u FORWARDED\u FOR']）和&validate\u ip（$_SERVER['HTTP\u FORWARDED\u FOR']））返回$_服务器['HTTP_FORWARDED_']；如果（！empty（$_服务器['HTTP_FORWARDED']）和&validate_ip（$_服务器['HTTP_FORWARDED']））返回$_服务器['HTTP_转发]； //返回不可靠的IP地址，因为所有其他操作都失败返回$服务器['REMOTE\u ADDR']； } /** *确保IP地址既是有效的IP地址，又不在 *专用网络范围。 */ 函数验证ip（$ip）{ 如果（strt
$ip = isset($_SERVER['HTTP_CLIENT_IP']) ? $_SERVER['HTTP_CLIENT_IP'] : isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

if (($ip=filter_input(INPUT_SERVER, 'REMOTE_ADDR', validate_ip)) === false or empty($ip)) { exit; } echo $ip;

if (($ip=filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP|FILTER_FLAG_NO_PRIV_RANGE|FILTER_FLAG_NO_RES_RANGE)) === false) { header('HTTP/1.0 400 Bad Request'); exit; }

function get_ip_address() { // Check for shared Internet/ISP IP if (!empty($_SERVER['HTTP_CLIENT_IP']) && validate_ip($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; } // Check for IP addresses passing through proxies if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { // Check if multiple IP addresses exist in var if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false) { $iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); foreach ($iplist as $ip) { if (validate_ip($ip)) return $ip; } } else { if (validate_ip($_SERVER['HTTP_X_FORWARDED_FOR'])) return $_SERVER['HTTP_X_FORWARDED_FOR']; } } if (!empty($_SERVER['HTTP_X_FORWARDED']) && validate_ip($_SERVER['HTTP_X_FORWARDED'])) return $_SERVER['HTTP_X_FORWARDED']; if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && validate_ip($_SERVER['HTTP_FORWARDED_FOR'])) return $_SERVER['HTTP_FORWARDED_FOR']; if (!empty($_SERVER['HTTP_FORWARDED']) && validate_ip($_SERVER['HTTP_FORWARDED'])) return $_SERVER['HTTP_FORWARDED']; // Return unreliable IP address since all else failed return $_SERVER['REMOTE_ADDR']; } /** * Ensures an IP address is both a valid IP address and does not fall within * a private network range. */ function validate_ip($ip) { if (strtolower($ip) === 'unknown') return false; // Generate IPv4 network address $ip = ip2long($ip); // If the IP address is set and not equivalent to 255.255.255.255 if ($ip !== false && $ip !== -1) { // Make sure to get unsigned long representation of IP address // due to discrepancies between 32 and 64 bit OSes and // signed numbers (ints default to signed in PHP) $ip = sprintf('%u', $ip); // Do private network range checking if ($ip >= 0 && $ip <= 50331647) return false; if ($ip >= 167772160 && $ip <= 184549375) return false; if ($ip >= 2130706432 && $ip <= 2147483647) return false; if ($ip >= 2851995648 && $ip <= 2852061183) return false; if ($ip >= 2886729728 && $ip <= 2887778303) return false; if ($ip >= 3221225984 && $ip <= 3221226239) return false; if ($ip >= 3232235520 && $ip <= 3232301055) return false; if ($ip >= 4294967040) return false; } return true; }

$_SERVER['REMOTE_ADDR'];

$ip = ""; if (!empty($_SERVER["HTTP_CLIENT_IP"])) { // Check for IP address from shared Internet $ip = $_SERVER["HTTP_CLIENT_IP"]; } elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) { // Check for the proxy user $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else { $ip = $_SERVER["REMOTE_ADDR"]; } echo $ip;

$userIp = $_SERVER['REMOTE_ADDR'];

<?php echo GetClientIP(true); function GetClientIP($validate = False) { $ipkeys = array( 'REMOTE_ADDR', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP' ); /* Now we check each key against $_SERVER if containing such value */ $ip = array(); foreach ($ipkeys as $keyword) { if (isset($_SERVER[$keyword])) { if ($validate) { if (ValidatePublicIP($_SERVER[$keyword])) { $ip[] = $_SERVER[$keyword]; } } else{ $ip[] = $_SERVER[$keyword]; } } } $ip = ( empty($ip) ? 'Unknown' : implode(", ", $ip) ); return $ip; } function ValidatePublicIP($ip){ if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { return true; } else { return false; } }

<?php $ip = '0.0.0.0'; $ip = $_SERVER['REMOTE_ADDR']; $clientDetails = json_decode(file_get_contents("http://ipinfo.io/$ip/json")); echo "You're logged in from: <b>" . $clientDetails->country . "</b>"; ?>

function GetIP() { if ( getenv("HTTP_CLIENT_IP") ) { $ip = getenv("HTTP_CLIENT_IP"); } elseif ( getenv("HTTP_X_FORWARDED_FOR") ) { $ip = getenv("HTTP_X_FORWARDED_FOR"); if ( strstr($ip, ',') ) { $tmp = explode(',', $ip); $ip = trim($tmp[0]); } } else { $ip = getenv("REMOTE_ADDR"); } return $ip; }

$ip = $_SERVER['HTTP_X_FORWARDED_FOR']?: $_SERVER['HTTP_CLIENT_IP']?: $_SERVER['REMOTE_ADDR'];

function valid_ip($ip) { // for list of reserved IP addresses, see https://en.wikipedia.org/wiki/Reserved_IP_addresses return $ip && substr($ip, 0, 4) != '127.' && substr($ip, 0, 4) != '127.' && substr($ip, 0, 3) != '10.' && substr($ip, 0, 2) != '0.' ? $ip : false; } function get_client_ip() { // using explode to get only client ip from list of forwarders. see https://en.wikipedia.org/wiki/X-Forwarded-For return @$_SERVER['HTTP_X_FORWARDED_FOR'] ? explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2)[0] : @$_SERVER['HTTP_CLIENT_IP'] ? explode(',', $_SERVER['HTTP_CLIENT_IP'], 2)[0] : valid_ip(@$_SERVER['REMOTE_ADDR']) ?: 'UNKNOWN'; } echo get_client_ip();

// Function to get the user IP address function getUserIP() { $ipaddress = ''; if (isset($_SERVER['HTTP_CLIENT_IP'])) $ipaddress = $_SERVER['HTTP_CLIENT_IP']; else if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR']; else if(isset($_SERVER['HTTP_X_FORWARDED'])) $ipaddress = $_SERVER['HTTP_X_FORWARDED']; else if(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) $ipaddress = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP']; else if(isset($_SERVER['HTTP_FORWARDED_FOR'])) $ipaddress = $_SERVER['HTTP_FORWARDED_FOR']; else if(isset($_SERVER['HTTP_FORWARDED'])) $ipaddress = $_SERVER['HTTP_FORWARDED']; else if(isset($_SERVER['REMOTE_ADDR'])) $ipaddress = $_SERVER['REMOTE_ADDR']; else $ipaddress = 'UNKNOWN'; return $ipaddress; }

$ip = filter_input(INPUT_SERVER, 'HTTP_CLIENT_IP', FILTER_VALIDATE_IP) ?: filter_input(INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_VALIDATE_IP) ?: $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0'; // Or other value fits "not defined" in your logic

function Get_User_Ip() { $IP = false; if (getenv('HTTP_CLIENT_IP')) { $IP = getenv('HTTP_CLIENT_IP'); } else if(getenv('HTTP_X_FORWARDED_FOR')) { $IP = getenv('HTTP_X_FORWARDED_FOR'); } else if(getenv('HTTP_X_FORWARDED')) { $IP = getenv('HTTP_X_FORWARDED'); } else if(getenv('HTTP_FORWARDED_FOR')) { $IP = getenv('HTTP_FORWARDED_FOR'); } else if(getenv('HTTP_FORWARDED')) { $IP = getenv('HTTP_FORWARDED'); } else if(getenv('REMOTE_ADDR')) { $IP = getenv('REMOTE_ADDR'); } //If HTTP_X_FORWARDED_FOR == server ip if((($IP) && ($IP == getenv('SERVER_ADDR')) && (getenv('REMOTE_ADDR')) || (!filter_var($IP, FILTER_VALIDATE_IP)))) { $IP = getenv('REMOTE_ADDR'); } if($IP) { if(!filter_var($IP, FILTER_VALIDATE_IP)) { $IP = false; } } else { $IP = false; } return $IP; }

//Get client's IP or null if nothing looks valid function ip_get($allow_private = false) { //Place your trusted proxy server IPs here. $proxy_ip = ['127.0.0.1']; //The header to look for (Make sure to pick the one that your trusted reverse proxy is sending or else you can get spoofed) $header = 'HTTP_X_FORWARDED_FOR'; //HTTP_CLIENT_IP, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_FORWARDED //If 'REMOTE_ADDR' seems to be a valid client IP, use it. if(ip_check($_SERVER['REMOTE_ADDR'], $allow_private, $proxy_ip)) return $_SERVER['REMOTE_ADDR']; if(isset($_SERVER[$header])) { //Split comma separated values [1] in the header and traverse the proxy chain backwards. //[1] https://en.wikipedia.org/wiki/X-Forwarded-For#Format $chain = array_reverse(preg_split('/\s*,\s*/', $_SERVER[$header])); foreach($chain as $ip) if(ip_check($ip, $allow_private, $proxy_ip)) return $ip; } return null; } //Check for valid IP. If 'allow_private' flag is set to truthy, it allows private IP ranges as valid client IP as well. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) //Pass your trusted reverse proxy IPs as $proxy_ip to exclude them from being valid. function ip_check($ip, $allow_private = false, $proxy_ip = []) { if(!is_string($ip) || is_array($proxy_ip) && in_array($ip, $proxy_ip)) return false; $filter_flag = FILTER_FLAG_NO_RES_RANGE; if(!$allow_private) { //Disallow loopback IP range which doesn't get filtered via 'FILTER_FLAG_NO_PRIV_RANGE' [1] //[1] https://www.php.net/manual/en/filter.filters.validate.php if(preg_match('/^127\.$/', $ip)) return false; $filter_flag |= FILTER_FLAG_NO_PRIV_RANGE; } return filter_var($ip, FILTER_VALIDATE_IP, $filter_flag) !== false; }

$ip = $_SERVER['REMOTE_ADDR']; $ip = $_SERVER['HTTP_CLIENT_IP']; $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; $ip = $_SERVER['HTTP_X_FORWARDED']; $ip = $_SERVER['HTTP_FORWARDED_FOR']; $ip = $_SERVER['HTTP_FORWARDED'];

function getClientIP():string { $keys=array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR'); foreach($keys as $k) { if (!empty($_SERVER[$k]) && filter_var($_SERVER[$k], FILTER_VALIDATE_IP)) { return $_SERVER[$k]; } } return "UNKNOWN"; }