How to get the client IP address in PHP
How can I get the client IP address using PHP?
I want to keep record of the user who logged into my website through his/her IP address.
Whatever you do, make sure not to trust data sent from the client. $_SERVER['REMOTE_ADDR']
contains the real IP address of the connecting party. That is the most reliable value you can find.
However, they can be behind a proxy server in which case the proxy may have set the $_SERVER['HTTP_X_FORWARDED_FOR']
, but this value is easily spoofed. For example, it can be set by someone without a proxy, or the IP can be an internal IP from the LAN behind the proxy.
This means that if you are going to save the $_SERVER['HTTP_X_FORWARDED_FOR']
, make sure you also save the $_SERVER['REMOTE_ADDR']
value. E.g. by saving both values in different fields in your database.
If you are going to save the IP to a database as a string, make sure you have space for at least 45 characters. IPv6 is here to stay and those addresses are larger than the older IPv4 addresses.
(Note that IPv6 usually uses 39 characters at most but there is also a special IPv6 notation for IPv4 addresses which in its full form can be up to 45 characters. So if you know what you are doing you can use 39 characters, but if you just want to set and forget it, use 45).
$_SERVER['REMOTE_ADDR']
may not actually contain real client IP addresses, as it will give you a proxy address for clients connected through a proxy, for example. That may
well be what you really want, though, depending what your doing with the IPs. Someone's private RFC1918 address may not do you any good if you're say, trying to see where your traffic is originating from, or remembering what IP the user last connected from, where the public IP of the proxy or NAT gateway might be the more appropriate to store.
There are several HTTP headers like X-Forwarded-For
which may or may not be set by various proxies. The problem is that those are merely HTTP headers which can be set by anyone. There's no guarantee about their content. $_SERVER['REMOTE_ADDR']
is the actual physical IP address that the web server received the connection from and that the response will be sent to. Anything else is just arbitrary and voluntary information. There's only one scenario in which you can trust this information: you are controlling the proxy that sets this header. Meaning only if you know 100% where and how the header was set should you heed it for anything of importance.
Having said that, here's some sample code:
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
Editor's note: Using the above code has security implications. The client can set all HTTP header information (ie. $_SERVER['HTTP_...
) to any arbitrary value it wants. As such it's far more reliable to use $_SERVER['REMOTE_ADDR']
, as this cannot be set by the user.
From: http://roshanbh.com.np/2007/12/getting-real-ip-address-in-php.html
echo $_SERVER['REMOTE_ADDR'];
http://php.net/manual/en/reserved.variables.server.php
Here is a cleaner code sample of a good way to get the IP address of the user.
$ip = $_SERVER['HTTP_CLIENT_IP']
? $_SERVER['HTTP_CLIENT_IP']
: ($_SERVER['HTTP_X_FORWARDED_FOR']
? $_SERVER['HTTP_X_FORWARDED_FOR']
: $_SERVER['REMOTE_ADDR']);
Here is a shorter version that uses the elvis operator:
$_SERVER['HTTP_CLIENT_IP']
? : ($_SERVER['HTTP_X_FORWARDED_FOR']
? : $_SERVER['REMOTE_ADDR']);
Here is a version that uses isset to remove notices (thank you, @shasi kanth):
$ip = isset($_SERVER['HTTP_CLIENT_IP'])
? $_SERVER['HTTP_CLIENT_IP']
: isset($_SERVER['HTTP_X_FORWARDED_FOR'])
? $_SERVER['HTTP_X_FORWARDED_FOR']
: $_SERVER['REMOTE_ADDR'];
It should be contained in the $_SERVER['REMOTE_ADDR']
variable.