This is fairly a straightforward topic. Just a few lines of PHP code will do the work of getting the client user IP address. Most of the times it is true, it is all about a few lines of PHP script.
Sometimes things get tricky. We shall see about those things and also an other aspect like the privacy issue involved with it.
Following one line PHP code will get you the client user’s IP address. Then why all the fuss? Read through the article and you will know about it.
$_SERVER['REMOTE_ADDR'];$_SERVER is a PHP array which is set by the server. Depending on this one line PHP code may not yield the best results in many a situation. For example, if a client is behind a proxy server, then this variable will not be suitable. Also be aware that, these headers can be easily spoofed by the users by setting an IP address themselves.
Following PHP script covers majority of the scenario and returns the user’s IP address.
<?php
class Request
{
/**
* Retrieves IP address set in the request header.
*
* Each ISPs sets them following their own logic. There is also a possibility for the user
* to easily spoof their IP address.
*
* So using this for mission critical situations is not advisable.
* If you are getting the IP address for casual logging purposes, then this is fine.
*/
public function getIpAddress()
{
$ipAddress = '';
if (! empty($_SERVER['HTTP_CLIENT_IP']) && $this->isValidIpAddress($_SERVER['HTTP_CLIENT_IP'])) {
// check for shared ISP IP
$ipAddress = $_SERVER['HTTP_CLIENT_IP'];
} else if (! empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// check for IPs passing through proxy servers
// check if multiple IP addresses are set and take the first one
$ipAddressList = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($ipAddressList as $ip) {
if ($this->isValidIpAddress($ip)) {
$ipAddress = $ip;
break;
}
}
} else if (! empty($_SERVER['HTTP_X_FORWARDED']) && $this->isValidIpAddress($_SERVER['HTTP_X_FORWARDED'])) {
$ipAddress = $_SERVER['HTTP_X_FORWARDED'];
} else if (! empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && $this->isValidIpAddress($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) {
$ipAddress = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
} else if (! empty($_SERVER['HTTP_FORWARDED_FOR']) && $this->isValidIpAddress($_SERVER['HTTP_FORWARDED_FOR'])) {
$ipAddress = $_SERVER['HTTP_FORWARDED_FOR'];
} else if (! empty($_SERVER['HTTP_FORWARDED']) && $this->isValidIpAddress($_SERVER['HTTP_FORWARDED'])) {
$ipAddress = $_SERVER['HTTP_FORWARDED'];
} else if (! empty($_SERVER['REMOTE_ADDR']) && $this->isValidIpAddress($_SERVER['REMOTE_ADDR'])) {
$ipAddress = $_SERVER['REMOTE_ADDR'];
}
return $ipAddress;
}
/**
* To validate if an IP address is both a valid and does not fall within
* a private network range.
*
* @access public
* @param string $ip
*/
public function isValidIpAddress($ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
return false;
}
return true;
}
}
?>Minimal code to get user’s IP address
Below one line code will work in most of the situation. Read the ‘IP address reliability’ section below, must. It will give you a good idea.
$ipAddress = $_SERVER['REMOTE_ADDR']?:($_SERVER['HTTP_X_FORWARDED_FOR']?:$_SERVER['HTTP_CLIENT_IP']);Get user’s IP address for CloudFlare hosted websites
I have taken CloudFlare as example. There are many similar services. You need to talk to that service provider to know which request header they are setting and get the IP address accordingly.
When the website is hosted using CloudFlare service,
$_SERVER['REMOTE_ADDR']will return the CloudFlare server’s IP address and not the user’s IP address. So in such a situation, you can make use of the variable set by the CloudFlare server to get the IP address.
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
$ipAddress = $_SERVER['REMOTE_ADDR'];
}IP address reliability
$_SERVER[‘REMOTE_ADDR’] is the most reliable variable from the above list of variables. REMOTE_ADDR may not contain the real IP address of the TCP connection as well. It depends on the SAPI configuration.
If the user is behind a proxy server, HTTP_X_FORWARDED_FOR will be set. But this can be easily spoofed by the user by setting an IP address he wishes to expose.
Even the variable X-Forwarded-For or the Client-IP can be set by the user to any value he wishes. So, when you maintain a log of user’s IP address, it is better to store the IP address that is returned by $_SERVER[‘REMOTE_ADDR’] also.
IP address field length
When you are storing the IP address in the database, remember to have the field size as 45 for single IP. Because there is a possibility for IPv6 IP addresses. It its full form the IPv6 IP address can be 45 characters in length.
How to get the IP address of a host
Using a hostname, we can get the server’s IP address using the PHP’s built-in function gethostbyname This returns the IPv4 address for the host given in argument.
$ipAddress = gethostbyname('www.example.com');The reverse is possible too by using gethostbyaddr()
Client user’s IP address and privacy issues
Client’s IP address can be considered as private information in certain legislation. It depends on the land of law. Internet is public in general. You never know from which geographic region you will get users.
As per GDPR (Article 4, Point 1; and Recital 49), IP address is a personal data. I would suggest to inform the user and get consent to log the IP address. Also, call it out explicitly in your “Privacy Policy” document.
Explicitly state that you are collecting and logging the client user’s IP address and the reason for doing so.
Conclusion
Understand your use-case well. A good understanding of the scenario in which you are going to get and use the client user’s IP address is important. Then understand that the end user can easily spoof his IP address and present you something else.
Third understand each line of the code, the server variables, from where the IP address is fetched, who sets it etc. Then decide how it will impact your use-case. Last but not the least, explicitly call out in your privacy policy that you are getting the client user’s IP address and storing it. Also state why you are doing it. As per GDPR, IP address is user’s personal information and so it would be better to get user’s consent before processing it.
Also Read :
PHP Database Backup Client for MySQL
How to Backup MySQL Database using PHP
Update/Delete Multiple Rows using PHP
Ajax Pagination with Tabular Records using PHP and jQuery
Sendmail in PHP using mail(), SMTP with Phpmailer
PHP session time set unset and check existence