Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
561 views
in Technique[技术] by (71.8m points)

php / ajax REMOTE_ADDR set to IP of bogus network adapter

today I came a across a pretty strange behaviour of an php based application of mine. In a certain part of the system there's an UI making use of AJAX-calls to fill list boxes with content from the backend.

Now, the AJAX listener performs a security check on all incoming requests, making sure that only valid client IPs get responses. The valid IP are stored in the backend too.

To get the client's IP I used plain old

$_SERVER['REMOTE_ADDR']

which works out for most of the clients. Today I ran into an installation where remote_addr contained the IP of an network adapter which was'nt that one which performed the actual communication for my application.

Googling around agve me Roshan's Blog entry on the topuic:

function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))//check ip is pass from prxy
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}

Sadly the problem persists.

Did anybody ever stumble into this sort of problem (actually I don't think that I discovered a completly new issue ^^) and has an idea for me how to fix this?

EDIT:

I'm on

  • PHP Version 5.2.9-1
  • Apache/2.2.9 (Win32)

The communication is done via a regular LAN card. Now the actuall client has several devices more. VMNet adapters and such.

I'm wondering how a client configuration can 'disturb' a web server that much...

TIA

K

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Unfortunately, you have to take all IP information with a grain of salt.

IP addresses are gathered during the request by taking the packet and request information into account. Sadly, this information can easily be spoofed or even be incorrect (based on a large number of network probabilities) and should not be used for anything more than vanity purposes.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...