如何在PHP中获取客户端IP地址
如何使用PHP获取客户端IP地址如何在PHP中获取客户端IP地址,php,environment-variables,ip-address,Php,Environment Variables,Ip Address,如何使用PHP获取客户端IP地址 我想保留通过其IP地址登录我的网站的用户的记录。它应该包含在$\u SERVER['REMOTE\u ADDR']变量中。$\u SERVER['REMOTE\u ADDR']可能实际上不包含真实的客户端IP地址,因为它会为通过代理连接的客户端提供代理地址。那可能 不过,我们会成为你真正想要的,这取决于你对IPs做了什么。某人的专用RFC1918地址可能对您没有任何好处,如果您试图查看您的流量来自何处,或者记住用户上次连接的IP,代理或NAT网关的公共IP可能更
我想保留通过其IP地址登录我的网站的用户的记录。它应该包含在$\u SERVER['REMOTE\u ADDR']变量中。$\u SERVER['REMOTE\u ADDR']可能实际上不包含真实的客户端IP地址,因为它会为通过代理连接的客户端提供代理地址。那可能 不过,我们会成为你真正想要的,这取决于你对IPs做了什么。某人的专用RFC1918地址可能对您没有任何好处,如果您试图查看您的流量来自何处,或者记住用户上次连接的IP,代理或NAT网关的公共IP可能更适合存储在何处 有几个HTTP头,比如X-Forwarded-For,可以由各种代理设置,也可以不设置。问题是,这些只是HTTP头,任何人都可以设置。他们的内容不能保证$_SERVER['REMOTE_ADDR']是web服务器从中接收连接并将响应发送到的实际物理IP地址。其他任何信息都是随意的和自愿的。只有一种情况下您可以信任此信息:您正在控制设置此标头的代理。这意味着只有当你100%知道标题的位置和设置方式时,你才应该注意它的重要性 话虽如此,下面是一些示例代码:
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip = $_SERVER['HTTP_CLIENT_IP'] ? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
答案是使用变量。例如,$\u SERVER[REMOTE\u ADDR]将返回客户端的IP地址。无论您做什么,请确保不要信任从客户端发送的数据。$\u SERVER['REMOTE\u ADDR']包含连接方的真实IP地址。这是您可以找到的最可靠的值 但是,它们可以位于代理服务器后面,在这种情况下,代理服务器可能已设置$_server['HTTP_X_FORWARDED_FOR'],但此值很容易被欺骗。例如,它可以由没有代理的人设置,或者IP可以是代理服务器后面LAN的内部IP 这意味着,如果要保存$_服务器['HTTP_X_FORWARDED_FOR'],请确保还保存$_服务器['REMOTE_ADDR']值。例如,在数据库的不同字段中保存这两个值 如果要将IP作为字符串保存到数据库,请确保至少有45个字符的空间。将保留,并且这些地址大于旧的IPv4地址
请注意,IPv6通常最多使用39个字符,但也有一个特殊的字符,其完整形式最多可使用45个字符。因此,如果您知道自己在做什么,可以使用39个字符,但如果您只是想设置并忘记它,请使用45个字符。我喜欢此代码段:
function getClientIP() {
if (isset($_SERVER)) {
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
return $_SERVER["HTTP_X_FORWARDED_FOR"];
if (isset($_SERVER["HTTP_CLIENT_IP"]))
return $_SERVER["HTTP_CLIENT_IP"];
return $_SERVER["REMOTE_ADDR"];
}
if (getenv('HTTP_X_FORWARDED_FOR'))
return getenv('HTTP_X_FORWARDED_FOR');
if (getenv('HTTP_CLIENT_IP'))
return getenv('HTTP_CLIENT_IP');
return getenv('REMOTE_ADDR');
}
这是我使用的方法,它验证输入:
我最喜欢的解决方案是Zend Framework 2的使用方式。它还考虑了$_服务器属性HTTP_X_FORWARDED_FOR、HTTP_CLIENT_IP、REMOTE_ADDR,但它声明了一个类来设置一些受信任的代理,并返回一个IP地址而不是数组。我认为这是最接近它的解决方案:
class RemoteAddress
{
/**
* Whether to use proxy addresses or not.
*
* As default this setting is disabled - IP address is mostly needed to increase
* security. HTTP_* are not reliable since can easily be spoofed. It can be enabled
* just for more flexibility, but if user uses proxy to connect to trusted services
* it's his/her own risk, only reliable field for IP address is $_SERVER['REMOTE_ADDR'].
*
* @var bool
*/
protected $useProxy = false;
/**
* List of trusted proxy IP addresses
*
* @var array
*/
protected $trustedProxies = array();
/**
* HTTP header to introspect for proxies
*
* @var string
*/
protected $proxyHeader = 'HTTP_X_FORWARDED_FOR';
// [...]
/**
* Returns client IP address.
*
* @return string IP address.
*/
public function getIpAddress()
{
$ip = $this->getIpAddressFromProxy();
if ($ip) {
return $ip;
}
// direct IP address
if (isset($_SERVER['REMOTE_ADDR'])) {
return $_SERVER['REMOTE_ADDR'];
}
return '';
}
/**
* Attempt to get the IP address for a proxied client
*
* @see http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-10#section-5.2
* @return false|string
*/
protected function getIpAddressFromProxy()
{
if (!$this->useProxy
|| (isset($_SERVER['REMOTE_ADDR']) && !in_array($_SERVER['REMOTE_ADDR'], $this->trustedProxies))
) {
return false;
}
$header = $this->proxyHeader;
if (!isset($_SERVER[$header]) || empty($_SERVER[$header])) {
return false;
}
// Extract IPs
$ips = explode(',', $_SERVER[$header]);
// trim, so we can compare against trusted proxies properly
$ips = array_map('trim', $ips);
// remove trusted proxy IPs
$ips = array_diff($ips, $this->trustedProxies);
// Any left?
if (empty($ips)) {
return false;
}
// Since we've removed any known, trusted proxy servers, the right-most
// address represents the first IP we do not know about -- i.e., we do
// not know if it is a proxy server, or a client. As such, we treat it
// as the originating IP.
// @see http://en.wikipedia.org/wiki/X-Forwarded-For
$ip = array_pop($ips);
return $ip;
}
// [...]
}
下面是一个更清晰的代码示例,它是获取用户IP地址的好方法
$ip = $_SERVER['HTTP_CLIENT_IP'] ? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
$_SERVER['HTTP_CLIENT_IP'] ? : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? : $_SERVER['REMOTE_ADDR']);
$ip = isset($_SERVER['HTTP_CLIENT_IP']) ? $_SERVER['HTTP_CLIENT_IP'] : isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
if (($ip=filter_input(INPUT_SERVER, 'REMOTE_ADDR', validate_ip)) === false or empty($ip)) {
exit;
}
echo $ip;
所有以“HTTP_uu”或“X-”开头的头都可能被欺骗,这两个头分别是用户定义的。如果您想跟踪,请使用cookies等。以下是我发现的最先进的方法,我过去也尝试过其他方法。确保获得访问者的IP地址是有效的,但请注意,任何黑客都可能会失败很容易地修改IP地址
function get_ip_address() {
// Check for shared Internet/ISP IP
if (!empty($_SERVER['HTTP_CLIENT_IP']) && validate_ip($_SERVER['HTTP_CLIENT_IP'])) {
return $_SERVER['HTTP_CLIENT_IP'];
}
// Check for IP addresses passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false) {
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip) {
if (validate_ip($ip))
return $ip;
}
}
else {
if (validate_ip($_SERVER['HTTP_X_FORWARDED_FOR']))
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
}
if (!empty($_SERVER['HTTP_X_FORWARDED']) && validate_ip($_SERVER['HTTP_X_FORWARDED']))
return $_SERVER['HTTP_X_FORWARDED'];
if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
return $_SERVER['HTTP_FORWARDED_FOR'];
if (!empty($_SERVER['HTTP_FORWARDED']) && validate_ip($_SERVER['HTTP_FORWARDED']))
return $_SERVER['HTTP_FORWARDED'];
// Return unreliable IP address since all else failed
return $_SERVER['REMOTE_ADDR'];
}
/**
* Ensures an IP address is both a valid IP address and does not fall within
* a private network range.
*/
function validate_ip($ip) {
if (strtolower($ip) === 'unknown')
return false;
// Generate IPv4 network address
$ip = ip2long($ip);
// If the IP address is set and not equivalent to 255.255.255.255
if ($ip !== false && $ip !== -1) {
// Make sure to get unsigned long representation of IP address
// due to discrepancies between 32 and 64 bit OSes and
// signed numbers (ints default to signed in PHP)
$ip = sprintf('%u', $ip);
// Do private network range checking
if ($ip >= 0 && $ip <= 50331647)
return false;
if ($ip >= 167772160 && $ip <= 184549375)
return false;
if ($ip >= 2130706432 && $ip <= 2147483647)
return false;
if ($ip >= 2851995648 && $ip <= 2852061183)
return false;
if ($ip >= 2886729728 && $ip <= 2887778303)
return false;
if ($ip >= 3221225984 && $ip <= 3221226239)
return false;
if ($ip >= 3232235520 && $ip <= 3232301055)
return false;
if ($ip >= 4294967040)
return false;
}
return true;
}
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
$_SERVER['REMOTE_ADDR'];
这可以通过使用名为$\u SERVER的全局变量来实现 $\u服务器是一个属性名为REMOTE\u ADDR的数组 按如下方式分配:
$userIp = $_SERVER['REMOTE_ADDR'];
或echo$\u SERVER['REMOTE\u ADDR'];。以下函数确定所有可能性,并以逗号分隔的格式ip、ip等返回值 它还有一个可选的验证函数作为第一个参数,默认情况下禁用该函数以根据专用范围和保留范围验证IP地址
<?php
echo GetClientIP(true);
function GetClientIP($validate = False) {
$ipkeys = array(
'REMOTE_ADDR',
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP'
);
/*
Now we check each key against $_SERVER if containing such value
*/
$ip = array();
foreach ($ipkeys as $keyword) {
if (isset($_SERVER[$keyword])) {
if ($validate) {
if (ValidatePublicIP($_SERVER[$keyword])) {
$ip[] = $_SERVER[$keyword];
}
}
else{
$ip[] = $_SERVER[$keyword];
}
}
}
$ip = ( empty($ip) ? 'Unknown' : implode(", ", $ip) );
return $ip;
}
function ValidatePublicIP($ip){
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
return true;
}
else {
return false;
}
}
正如前面所有其他人所说的,您可以使用$_SERVER['REMOTE_ADDR'];获取客户端IP地址 此外,如果您需要有关用户的更多信息,您可以使用:
<?php
$ip = '0.0.0.0';
$ip = $_SERVER['REMOTE_ADDR'];
$clientDetails = json_decode(file_get_contents("http://ipinfo.io/$ip/json"));
echo "You're logged in from: <b>" . $clientDetails->country . "</b>";
?>
我正在使用以获取额外信息。此函数非常紧凑,您可以在任何地方使用它。但是 别忘了!在这种类型的函数或代码块中,无法保证记录用户的真实IP地址,因为有些用户可以使用代理或其他安全网关进行不可见或无法跟踪 PHP函数:
function GetIP()
{
if ( getenv("HTTP_CLIENT_IP") ) {
$ip = getenv("HTTP_CLIENT_IP");
} elseif ( getenv("HTTP_X_FORWARDED_FOR") ) {
$ip = getenv("HTTP_X_FORWARDED_FOR");
if ( strstr($ip, ',') ) {
$tmp = explode(',', $ip);
$ip = trim($tmp[0]);
}
} else {
$ip = getenv("REMOTE_ADDR");
}
return $ip;
}
$IP=GetIP;或直接获取IP 这里有一个简单的单行线
$ip = $_SERVER['HTTP_X_FORWARDED_FOR']?: $_SERVER['HTTP_CLIENT_IP']?: $_SERVER['REMOTE_ADDR'];
function valid_ip($ip) {
// for list of reserved IP addresses, see https://en.wikipedia.org/wiki/Reserved_IP_addresses
return $ip && substr($ip, 0, 4) != '127.' && substr($ip, 0, 4) != '127.' && substr($ip, 0, 3) != '10.' && substr($ip, 0, 2) != '0.' ? $ip : false;
}
function get_client_ip() {
// using explode to get only client ip from list of forwarders. see https://en.wikipedia.org/wiki/X-Forwarded-For
return
@$_SERVER['HTTP_X_FORWARDED_FOR'] ? explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2)[0] :
@$_SERVER['HTTP_CLIENT_IP'] ? explode(',', $_SERVER['HTTP_CLIENT_IP'], 2)[0] :
valid_ip(@$_SERVER['REMOTE_ADDR']) ?:
'UNKNOWN';
}
echo get_client_ip();
互联网背后有不同类型的用户,因此我们希望从不同的部分获取IP地址。这些是: 一,$_服务器['REMOTE_ADDR']- 它包含客户端的真实IP地址。这是您可以从用户那里找到的最可靠的值
$ip = $_SERVER['HTTP_CLIENT_IP'] ? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
// Function to get the user IP address
function getUserIP() {
$ipaddress = '';
if (isset($_SERVER['HTTP_CLIENT_IP']))
$ipaddress = $_SERVER['HTTP_CLIENT_IP'];
else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
else if(isset($_SERVER['HTTP_X_FORWARDED']))
$ipaddress = $_SERVER['HTTP_X_FORWARDED'];
else if(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
$ipaddress = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
else if(isset($_SERVER['HTTP_FORWARDED_FOR']))
$ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
else if(isset($_SERVER['HTTP_FORWARDED']))
$ipaddress = $_SERVER['HTTP_FORWARDED'];
else if(isset($_SERVER['REMOTE_ADDR']))
$ipaddress = $_SERVER['REMOTE_ADDR'];
else
$ipaddress = 'UNKNOWN';
return $ipaddress;
}
以下是获取客户端IP地址的一行程序版本:
$ip = filter_input(INPUT_SERVER, 'HTTP_CLIENT_IP', FILTER_VALIDATE_IP)
?: filter_input(INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_VALIDATE_IP)
?: $_SERVER['REMOTE_ADDR']
?? '0.0.0.0'; // Or other value fits "not defined" in your logic
current(explode(',', @$_SERVER['HTTP_X_FORWARDED_FOR']))
获取IP地址的安全和警告提示代码段:
$ip = filter_input(INPUT_SERVER, 'HTTP_CLIENT_IP', FILTER_VALIDATE_IP)
?: filter_input(INPUT_SERVER, 'HTTP_X_FORWARDED_FOR', FILTER_VALIDATE_IP)
?: $_SERVER['REMOTE_ADDR']
?? '0.0.0.0'; // Or other value fits "not defined" in your logic
此功能应按预期工作
function Get_User_Ip()
{
$IP = false;
if (getenv('HTTP_CLIENT_IP'))
{
$IP = getenv('HTTP_CLIENT_IP');
}
else if(getenv('HTTP_X_FORWARDED_FOR'))
{
$IP = getenv('HTTP_X_FORWARDED_FOR');
}
else if(getenv('HTTP_X_FORWARDED'))
{
$IP = getenv('HTTP_X_FORWARDED');
}
else if(getenv('HTTP_FORWARDED_FOR'))
{
$IP = getenv('HTTP_FORWARDED_FOR');
}
else if(getenv('HTTP_FORWARDED'))
{
$IP = getenv('HTTP_FORWARDED');
}
else if(getenv('REMOTE_ADDR'))
{
$IP = getenv('REMOTE_ADDR');
}
//If HTTP_X_FORWARDED_FOR == server ip
if((($IP) && ($IP == getenv('SERVER_ADDR')) && (getenv('REMOTE_ADDR')) || (!filter_var($IP, FILTER_VALIDATE_IP))))
{
$IP = getenv('REMOTE_ADDR');
}
if($IP)
{
if(!filter_var($IP, FILTER_VALIDATE_IP))
{
$IP = false;
}
}
else
{
$IP = false;
}
return $IP;
}
就这一点而言,我很惊讶还没有提到的是,要获得那些位于CloudFlare基础设施后面的站点的正确IP地址。它将破坏您的IP地址,并为它们提供相同的值。 幸运的是,它们也有一些可用的服务器头。 我没有重写已经写过的东西,而是在这里寻找一个更简洁的答案,是的,我很久以前也经历过这个过程。 函数获取客户端ip { foreach数组 “HTTP_客户端_IP”, “HTTP\u X\u转发给”, “HTTP_X_转发”, “HTTP_X_群集_客户端_IP”, “HTTP\u转发给”, “HTTP_转发”, “远程地址”作为$key{ 如果数组\u key\u存在$key,$\u服务器{ foreach将“,”和“$”服务器[$key]分解为$ip{ $ip=修剪$ip; 如果布尔过滤器变量为$ip,则过滤器验证ip, 筛选器\u标志\u IPV4| 过滤器\u标志\u无\u专用范围| 过滤器\u标志\u无\u分辨率\u范围{ 返回$ip; } } } } 返回null; } 或压缩版本: 函数get\u ip{ foreach数组'HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_X_CLUSTER_CLIENT_IP','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR'作为$key{ 如果数组\u key\u存在$key,$\u服务器===true{ foreach数组_将'trim',explode',',$_服务器[$key]映射为$ip{ 如果filter_var$ip、filter_VALIDATE_ip、filter_FLAG_NO_PRIV_RANGE | filter_FLAG_NO_RES_RANGE!==false{ 返回$ip; } } } } }
这里有一些代码,可以通过检查各种来源来选择有效的IP 首先,它检查“REMOTE_ADDR”是否为公共IP,并且不是您的可信反向代理之一,然后检查其中一个HTTP头,直到找到公共IP并返回它。PHP5.2+ 只要反向代理是可信的,或者服务器与客户端直接连接,它就应该是可靠的
//Get client's IP or null if nothing looks valid
function ip_get($allow_private = false)
{
//Place your trusted proxy server IPs here.
$proxy_ip = ['127.0.0.1'];
//The header to look for (Make sure to pick the one that your trusted reverse proxy is sending or else you can get spoofed)
$header = 'HTTP_X_FORWARDED_FOR'; //HTTP_CLIENT_IP, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_FORWARDED
//If 'REMOTE_ADDR' seems to be a valid client IP, use it.
if(ip_check($_SERVER['REMOTE_ADDR'], $allow_private, $proxy_ip)) return $_SERVER['REMOTE_ADDR'];
if(isset($_SERVER[$header]))
{
//Split comma separated values [1] in the header and traverse the proxy chain backwards.
//[1] https://en.wikipedia.org/wiki/X-Forwarded-For#Format
$chain = array_reverse(preg_split('/\s*,\s*/', $_SERVER[$header]));
foreach($chain as $ip) if(ip_check($ip, $allow_private, $proxy_ip)) return $ip;
}
return null;
}
//Check for valid IP. If 'allow_private' flag is set to truthy, it allows private IP ranges as valid client IP as well. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
//Pass your trusted reverse proxy IPs as $proxy_ip to exclude them from being valid.
function ip_check($ip, $allow_private = false, $proxy_ip = [])
{
if(!is_string($ip) || is_array($proxy_ip) && in_array($ip, $proxy_ip)) return false;
$filter_flag = FILTER_FLAG_NO_RES_RANGE;
if(!$allow_private)
{
//Disallow loopback IP range which doesn't get filtered via 'FILTER_FLAG_NO_PRIV_RANGE' [1]
//[1] https://www.php.net/manual/en/filter.filters.validate.php
if(preg_match('/^127\.$/', $ip)) return false;
$filter_flag |= FILTER_FLAG_NO_PRIV_RANGE;
}
return filter_var($ip, FILTER_VALIDATE_IP, $filter_flag) !== false;
}
$ip = $_SERVER['REMOTE_ADDR'];
$ip = $_SERVER['HTTP_CLIENT_IP'];
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip = $_SERVER['HTTP_X_FORWARDED'];
$ip = $_SERVER['HTTP_FORWARDED_FOR'];
$ip = $_SERVER['HTTP_FORWARDED'];
无错误的快速解决方案
function getClientIP():string
{
$keys=array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR');
foreach($keys as $k)
{
if (!empty($_SERVER[$k]) && filter_var($_SERVER[$k], FILTER_VALIDATE_IP))
{
return $_SERVER[$k];
}
}
return "UNKNOWN";
}
@Anup Prakash就是这样——因此从脚本的角度来看是远程的@SiKni8::1是IPv6与127.0.0的等价物。1@CamiloMartin你刚刚教了我一些东西。凉的我是说重点是什么。。getenv不是提供了与$\u服务器相同的东西吗?@Paceriermy猜测可能是PHP的旧版本,其中$\u服务器还不可用@Johan为什么不返回一个包含所有三个IP的数组?@nueverest,因为用户通常不会从三个不同的IP访问您的站点。您希望返回适用于他的代码。除非您确切知道上面的代码的作用,否则不要使用该代码!我看到了巨大的安全漏洞。Th
e客户端可以将X-Forwarded-For或客户端IP头设置为它想要的任意值。除非你有一个可信的反向代理,否则你不应该使用这些值中的任何一个;而且真的应该被“解析”而不是从表面上看,它几乎从不包含一个IP。@LostPhilospher这是一个合理的做法,它会使它更可靠,但不幸的是它仍然允许欺骗。对于一个规模较大的站点,web应用服务器前面将有负载平衡器和/或反向代理。您必须配置这些负载平衡器或代理以删除任何外部X-Forwarded-For标头,而不是插入它们自己的连接客户端的IP地址。感谢您允许我通过简单设置HTTP标头来欺骗我的IP地址!始终记得清理任何可能被用户修改的输入。这是其中的一次。我相信代码缺少了一些表达式,优先级顺序颠倒了,所以应该是这样的:$ip=$服务器['HTTP\U客户端\U ip']?$服务器['HTTP\U客户端\U ip']:$服务器['HTTP\U转发给']?$服务器['HTTP\U转发给']:$服务器['REMOTE\U ADDR'];不过,很好的一个,接得好。我已经调整了岗位。非常感谢。刚刚添加了isset以删除通知:$ip=isset$\u服务器['HTTP\u客户端\u ip']?$\u服务器['HTTP\u客户端\u ip']:isset$\u服务器['HTTP\u X\u转发D_代表“]”?$_服务器['HTTP_X_FORWARDED_代表“]:$_服务器['REMOTE_ADDR'];正如有人指出的,这三个例子都充满了隐藏字符U+200C和U+200B。不要将它们粘贴到php脚本中,否则会出现解析错误。如果要查看所有隐藏字符,请将这些行粘贴到此处:。请清除那个代码!回答得好!我已经在为我的服务器使用$\u SERVER['REMOTE\u ADDR'],我希望您提供另一种方式,以及优点和缺点。注意:REMOTE\u ADDR可能不包含TCP连接的真实IP。这完全取决于您的SAPI。确保SAPI已正确配置,以便$\u SERVER['REMOTE\u ADDR']实际返回TCP连接的IP。否则可能会导致一些严重的漏洞,例如,StackExchange通过检查REMOTE_ADDR是否与localhost匹配来授予管理员访问权限,不幸的是,SAPI的配置有一个漏洞,它将HTTP_X_FORWARDED_作为输入,允许非管理员通过更改HTTP_X_FORWARDED_头来获得管理员访问权限。也看到了伟大的答案!使用在如此大的框架中开发和使用的、经过生产测试的代码是您能做的最好的事情之一:那么等待zend不过滤任何东西?我应该看到如下内容:filter\u var$\u SERVER['REMOTE\u ADDR'],filter\u VALIDATE\u IP,filter\u FLAG\u IPV4@汉诺克斯:你为什么要这么做?欺骗遥控器是很困难的address@Hanoncs我认为你必须在通过这个类获得它之后检查它的值。这不是逻辑的一部分。它只是按原样从$\u服务器变量中获取值,并跳过一些已定义和已知的代理服务器。这就是全部。如果您认为返回值不安全,请检查它或向PHP开发人员报告一个错误。@Algorhytim如何确定一个众所周知的代理服务器是什么?这已经提到过几次了,您的回答实际上没有任何有用的东西。“您的回答实际上没有任何有用的东西”-不确定您的意思,它回答了人们提出的问题。这怎么没用?因为他回答了一个5年前的问题,而且已经回答了很多相同且更好的答案。@Gyanndra prasad panigrahi试图在你的答案中包含函数文档之类的有用链接。第一个片段如何返回客户端的IP地址?在我看来,它会回显服务器的地址。谢谢罗宾。是的,有时候你不会得到正确的结果。请使用第二种解决方案。@MahfuzAhmed,你能告诉我,文件内容是做什么的吗?如何通过file_get_contents获取IP文件_get_contents在这里是完全无用的:在第1行初始化$IP需要什么。如果所有条件都失败,那么$ip=$\u服务器['REMOTE\u ADDR']也将运行。这是错误的。HTTP_CLIENT_IP比REMOTE_ADDR更不可靠,而且IP验证函数毫无意义。@tobltobs。有趣的是,你这么说,但这是唯一一个在重定向页面加载的清漆框后面对我有效的函数集。我对它竖起大拇指。链接实际上被破坏了。链接被删除了,页面似乎消失了。谢谢你这是2019年获得ip的最佳方式吗?我想知道为什么会有这么多的反对票。我找到了答案,而不是最好的,因为它不考虑内部网络,比如负载平衡。
g服务器,非常有用,并且提供了i上下文中的文档。我猜有些人只是想要一个解决方案,不需要进一步质疑,真的很容易伪造。我刚刚在我自己的网站上尝试了Requestly Chrome扩展,将客户端ip头设置为111.111.111.111。请参阅RFC6302,了解有关记录内容的建议,特别是现在要记住记录端口,而不仅仅是地址。对于那些跟踪用户,请注意,在全球的一些地区,ISP正在使用CGNAT,这使得仅仅信任一个IP地址函数getUserIpAddr{if!empty$_SERVER['HTTP_CLIENT_IP']{$IP=$_SERVER['HTTP_CLIENT_IP'];}或者说空$_SERVER['HTTP_X_FORWARDED_FOR']{$IP=$_SERVER['HTTP_X_FORWARDED_FOR']}或者{$ip=$_服务器['REMOTE_ADDR'];}返回$ip;}你应该使用。它的价值是,它会让你知道IP是否在代理或VPN后面,我认为这很重要。他们有一个PHP代码片段,你可以从中复制你的请求。警告,黑客可以通过发送假X-FORWARDED-FOR:fakeip HTTP Headers轻易欺骗IP,当然,但是如果你使用NGINX,客户端通常是在HTTP\u-FORWARDED\u上可能无法按预期工作:1.此处的所有标题都允许使用逗号和/或分号,因此您必须标记字符串ie,strok$k,';,';2.HTTP_X_FORWARDED不存在;3.此处标准化的HTTP_FORWARDED的使用将始终无法通过filter_var测试,因为它使用自己的语法,即for=1.1.1;by=1.1.0。有关se的文档服务器变量:我不明白为什么有人会浪费这么多时间写无用的注释,而不是让代码可读。
//Get client's IP or null if nothing looks valid
function ip_get($allow_private = false)
{
//Place your trusted proxy server IPs here.
$proxy_ip = ['127.0.0.1'];
//The header to look for (Make sure to pick the one that your trusted reverse proxy is sending or else you can get spoofed)
$header = 'HTTP_X_FORWARDED_FOR'; //HTTP_CLIENT_IP, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_FORWARDED
//If 'REMOTE_ADDR' seems to be a valid client IP, use it.
if(ip_check($_SERVER['REMOTE_ADDR'], $allow_private, $proxy_ip)) return $_SERVER['REMOTE_ADDR'];
if(isset($_SERVER[$header]))
{
//Split comma separated values [1] in the header and traverse the proxy chain backwards.
//[1] https://en.wikipedia.org/wiki/X-Forwarded-For#Format
$chain = array_reverse(preg_split('/\s*,\s*/', $_SERVER[$header]));
foreach($chain as $ip) if(ip_check($ip, $allow_private, $proxy_ip)) return $ip;
}
return null;
}
//Check for valid IP. If 'allow_private' flag is set to truthy, it allows private IP ranges as valid client IP as well. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
//Pass your trusted reverse proxy IPs as $proxy_ip to exclude them from being valid.
function ip_check($ip, $allow_private = false, $proxy_ip = [])
{
if(!is_string($ip) || is_array($proxy_ip) && in_array($ip, $proxy_ip)) return false;
$filter_flag = FILTER_FLAG_NO_RES_RANGE;
if(!$allow_private)
{
//Disallow loopback IP range which doesn't get filtered via 'FILTER_FLAG_NO_PRIV_RANGE' [1]
//[1] https://www.php.net/manual/en/filter.filters.validate.php
if(preg_match('/^127\.$/', $ip)) return false;
$filter_flag |= FILTER_FLAG_NO_PRIV_RANGE;
}
return filter_var($ip, FILTER_VALIDATE_IP, $filter_flag) !== false;
}
$ip = $_SERVER['REMOTE_ADDR'];
$ip = $_SERVER['HTTP_CLIENT_IP'];
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip = $_SERVER['HTTP_X_FORWARDED'];
$ip = $_SERVER['HTTP_FORWARDED_FOR'];
$ip = $_SERVER['HTTP_FORWARDED'];
function getClientIP():string
{
$keys=array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR');
foreach($keys as $k)
{
if (!empty($_SERVER[$k]) && filter_var($_SERVER[$k], FILTER_VALIDATE_IP))
{
return $_SERVER[$k];
}
}
return "UNKNOWN";
}