在PHP中检索用户的正确IP地址的最准确的方法是什么?

我知道有大量的$ _SERVER变量头可用于IP地址检索。我想知道是否有一个普遍的共识,如何最准确地检索用户的真实IP地址(好知道没有方法是完美的)使用上述变量?

我花了一些时间试图找到一个深入的解决方案,并根据一些来源提出了以下代码。如果有人能在答案中找出漏洞,或者提供一些更准确的信息,我会很高兴。

编辑包括来自@Alix的优化

 /**
* Retrieves the best guess of the client's actual IP address.
* Takes into account numerous HTTP proxy headers due to variations
* in how different ISPs handle IP addresses in headers between hops.
*/
public function get_ip_address() {
// Check for shared internet/ISP IP
if (!empty($_SERVER['HTTP_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_CLIENT_IP']))
return $_SERVER['HTTP_CLIENT_IP'];


// Check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip) {
if ($this->validate_ip($ip))
return $ip;
}
}
}
if (!empty($_SERVER['HTTP_X_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_X_FORWARDED']))
return $_SERVER['HTTP_X_FORWARDED'];
if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && $this->validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
return $_SERVER['HTTP_FORWARDED_FOR'];
if (!empty($_SERVER['HTTP_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_FORWARDED']))
return $_SERVER['HTTP_FORWARDED'];


// Return unreliable IP address since all else failed
return $_SERVER['REMOTE_ADDR'];
}


/**
* Ensures an IP address is both a valid IP address and does not fall within
* a private network range.
*
* @access public
* @param string $ip
*/
public function validate_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4 |
FILTER_FLAG_IPV6 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE) === false)
return false;
self::$ip = $ip;
return true;
}

警告之词(更新)

REMOTE_ADDR仍然表示IP地址的最可靠的源。这里提到的其他$_SERVER变量可以很容易地被远程客户端欺骗。此解决方案的目的是试图确定位于代理后面的客户机的IP地址。出于一般目的,你可以考虑将它与直接从$_SERVER['REMOTE_ADDR']返回的IP地址结合使用,并存储两者。

它不会保护你免受0.1%的恶意用户通过注入他们自己的请求头来滥用你的系统。如果依赖IP地址来完成某些关键任务,则求助于REMOTE_ADDR,而不必费心满足代理背后的需求。

111917 次浏览
小开

你已经回答了你自己的问题!:)

function getRealIpAddr() {
if(!empty($_SERVER['HTTP_CLIENT_IP']))   //Check IP address from shared Internet
{
$IPaddress = $_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //To check IP address is passed from the proxy
{
$IPaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$IPaddress = $_SERVER['REMOTE_ADDR'];
}
return $IPaddress;
}

Source .

小开

然而,即使这样,获取用户的真实IP地址也是不可靠的。他们所需要做的就是使用一个匿名代理服务器(一个不尊重http_x_forwarded_forhttp_forwarded等标题的服务器),你所得到的只是他们的代理服务器的IP地址。

然后,您可以查看是否有一个匿名的代理服务器IP地址列表,但没有办法确保这是100%准确的,它所做的最多是让您知道这是一个代理服务器。如果有人很聪明,他们可以欺骗HTTP转发的报头。

假设我不喜欢当地的大学。我知道他们注册了什么IP地址,然后通过做坏事让他们的IP地址在你的网站上被禁止,因为我知道你遵守HTTP转发。这样的例子不胜枚举。

然后,正如您所猜测的那样,还有内部IP地址,例如我前面提到的学院网络。很多使用10. . x.x.x格式。所以你只知道它被转发到一个共享网络。

那我就不多说了,动态IP地址已经是宽带的方式了。所以。即使你获得了一个用户IP地址,预计它最多2 - 3个月就会改变。

小开

我们使用:

/**
* Get the customer's IP address.
*
* @return string
*/
public function getIpAddress() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
return $_SERVER['HTTP_CLIENT_IP'];
} else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
return trim($ips[count($ips) - 1]);
} else {
return $_SERVER['REMOTE_ADDR'];
}
}

在HTTP_X_FORWARDED_FOR上的爆炸是因为我们在使用鱿鱼时检测IP地址的奇怪问题。

小开 
/**
* Sanitizes IPv4 address according to Ilia Alshanetsky's book
* "php|architect?s Guide to PHP Security", chapter 2, page 67.
*
* @param string $ip An IPv4 address
*/
public static function sanitizeIpAddress($ip = '')
{
if ($ip == '')
{
$rtnStr = '0.0.0.0';
}
else
{
$rtnStr = long2ip(ip2long($ip));
}


return $rtnStr;
}


//---------------------------------------------------


/**
* Returns the sanitized HTTP_X_FORWARDED_FOR server variable.
*
*/
public static function getXForwardedFor()
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$rtnStr = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
elseif (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']))
{
$rtnStr = $HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'];
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
$rtnStr = getenv('HTTP_X_FORWARDED_FOR');
}
else
{
$rtnStr = '';
}


// Sanitize IPv4 address (Ilia Alshanetsky):
if ($rtnStr != '')
{
$rtnStr = explode(', ', $rtnStr);
$rtnStr = self::sanitizeIpAddress($rtnStr[0]);
}


return $rtnStr;
}


//---------------------------------------------------


/**
* Returns the sanitized REMOTE_ADDR server variable.
*
*/
public static function getRemoteAddr()
{
if (isset($_SERVER['REMOTE_ADDR']))
{
$rtnStr = $_SERVER['REMOTE_ADDR'];
}
elseif (isset($HTTP_SERVER_VARS['REMOTE_ADDR']))
{
$rtnStr = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
elseif (getenv('REMOTE_ADDR'))
{
$rtnStr = getenv('REMOTE_ADDR');
}
else
{
$rtnStr = '';
}


// Sanitize IPv4 address (Ilia Alshanetsky):
if ($rtnStr != '')
{
$rtnStr = explode(', ', $rtnStr);
$rtnStr = self::sanitizeIpAddress($rtnStr[0]);
}


return $rtnStr;
}


//---------------------------------------------------


/**
* Returns the sanitized remote user and proxy IP addresses.
*
*/
public static function getIpAndProxy()
{
$xForwarded = self::getXForwardedFor();
$remoteAddr = self::getRemoteAddr();


if ($xForwarded != '')
{
$ip    = $xForwarded;
$proxy = $remoteAddr;
}
else
{
$ip    = $remoteAddr;
$proxy = '';
}


return array($ip, $proxy);
}
小开
最佳答案

下面是一种更简洁的获取IP地址的方法:

function get_ip_address(){
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe


if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
return $ip;
}
}
}
}
}

你的代码似乎已经很完整了,我看不到任何可能的错误(除了通常的IP警告),我将改变validate_ip()函数依赖于过滤器扩展:

public function validate_ip($ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false)
{
return false;
}


self::$ip = sprintf('%u', ip2long($ip)); // you seem to want this


return true;
}

你的HTTP_X_FORWARDED_FOR代码片段也可以这样简化:

// check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
// check if multiple ips exist in var
if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false)
{
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        

foreach ($iplist as $ip)
{
if ($this->validate_ip($ip))
return $ip;
}
}
    

else
{
if ($this->validate_ip($_SERVER['HTTP_X_FORWARDED_FOR']))
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
}

:

// check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        

foreach ($iplist as $ip)
{
if ($this->validate_ip($ip))
return $ip;
}
}

您可能还想验证IPv6地址。

小开

最大的问题是目的是什么?

你的代码几乎是全面的,因为它可以-但我看到,如果你发现什么看起来像一个代理添加头,你使用它而不是CLIENT_IP,然而,如果你想要这个信息的审计目的,然后警告-它很容易伪造。

当然,您绝不应该使用IP地址进行任何形式的身份验证——即使这些地址也可能被欺骗。

您可以通过推出一个flash或java applet来更好地测量客户端ip地址,它通过非http端口连接回服务器(因此会显示透明代理或代理注入的报头为假的情况下),但请记住,当客户端只能通过web代理连接或传出端口被阻塞时,将不会有来自applet的连接。

小开

我想知道也许你应该在爆炸的HTTP_X_FORWARDED_FOR以相反的顺序迭代,因为我的经验是,用户的IP地址结束在逗号分隔的列表的末尾,所以从头的开始,你更有可能得到一个返回的代理的IP地址,这可能仍然允许会话劫持,因为许多用户可能通过该代理。

小开

谢谢,非常有用。

如果代码在语法上是正确的,这将会有所帮助。在第20行有一个{too many。这恐怕意味着没人真正尝试过。

我可能疯了,但在尝试了一些有效和无效的地址后,validate_ip()唯一有效的版本是这样的:

    public function validate_ip($ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) === false)
return false;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE) === false)
return false;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) === false && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false)
return false;


return true;
}
小开

下面是修改后的版本,如果你使用CloudFlare缓存层服务

function getIP()
{
$fields = array('HTTP_X_FORWARDED_FOR',
'REMOTE_ADDR',
'HTTP_CF_CONNECTING_IP',
'HTTP_X_CLUSTER_CLIENT_IP');


foreach($fields as $f)
{
$tries = $_SERVER[$f];
if (empty($tries))
continue;
$tries = explode(',',$tries);
foreach($tries as $try)
{
$r = filter_var($try,
FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE);


if ($r !== false)
{
return $try;
}
}
}
return false;
}
小开

只是答案的VB。网版本:

Private Function GetRequestIpAddress() As IPAddress
Dim serverVariables = HttpContext.Current.Request.ServerVariables
Dim headersKeysToCheck = {"HTTP_CLIENT_IP", _
"HTTP_X_FORWARDED_FOR", _
"HTTP_X_FORWARDED", _
"HTTP_X_CLUSTER_CLIENT_IP", _
"HTTP_FORWARDED_FOR", _
"HTTP_FORWARDED", _
"REMOTE_ADDR"}
For Each thisHeaderKey In headersKeysToCheck
Dim thisValue = serverVariables.Item(thisHeaderKey)
If thisValue IsNot Nothing Then
Dim validAddress As IPAddress = Nothing
If IPAddress.TryParse(thisValue, validAddress) Then
Return validAddress
End If
End If
Next
Return Nothing
End Function
小开

另一种干净的方式:

  function validateIp($var_ip){
$ip = trim($var_ip);


return (!empty($ip) &&
$ip != '::1' &&
$ip != '127.0.0.1' &&
filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
? $ip : false;
}


function getClientIp() {
$ip = @$this->validateIp($_SERVER['HTTP_CLIENT_IP']) ?:
@$this->validateIp($_SERVER['HTTP_X_FORWARDED_FOR']) ?:
@$this->validateIp($_SERVER['HTTP_X_FORWARDED']) ?:
@$this->validateIp($_SERVER['HTTP_FORWARDED_FOR']) ?:
@$this->validateIp($_SERVER['HTTP_FORWARDED']) ?:
@$this->validateIp($_SERVER['REMOTE_ADDR']) ?:
'LOCAL OR UNKNOWN ACCESS';


return $ip;
}
小开

我意识到上面有更好更简洁的答案,这不是一个函数,也不是最优雅的脚本。在我们的例子中,我们需要在一次简单的交换中输出可伪装的x_forwarded_for和更可靠的remote_addr。它需要允许空格注入到其他函数if-none或if-singular(而不是仅仅返回预格式化的函数)。它需要一个“开或关”变量,每个开关都有一个定制标签,用于平台设置。它还需要一种方法使$ip根据请求是动态的,这样它就可以采用forwarded_for的形式。

我也没有看到任何人地址isset() vs !empty()——它可能没有为x_forwarded_for输入任何内容,但仍然触发isset()真理导致空白var,一种解决方法是使用&&把两者结合起来作为条件。请记住,您可以欺骗像“PWNED”这样的单词为x_forwarded_for,因此,如果您的输出在某个受保护的地方或到DB中,请确保您将其杀菌为真实ip语法。

此外,如果您需要一个多代理来查看x_forwarder_for中的数组,则可以使用谷歌translate进行测试。如果你想欺骗头进行测试,检查这个Chrome客户端头欺骗扩展。这将默认只是标准的remote_addr,而后面的一个代理。

我不知道任何情况下,remote_addr可以是空的,但它在那里,以防万一。

// proxybuster - attempts to un-hide originating IP if [reverse]proxy provides methods to do so
$enableProxyBust = true;


if (($enableProxyBust == true) && (isset($_SERVER['REMOTE_ADDR'])) && (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) && (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))) {
$ip = end(array_values(array_filter(explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']))));
$ipProxy = $_SERVER['REMOTE_ADDR'];
$ipProxy_label = ' behind proxy ';
} elseif (($enableProxyBust == true) && (isset($_SERVER['REMOTE_ADDR']))) {
$ip = $_SERVER['REMOTE_ADDR'];
$ipProxy = '';
$ipProxy_label = ' no proxy ';
} elseif (($enableProxyBust == false) && (isset($_SERVER['REMOTE_ADDR']))) {
$ip = $_SERVER['REMOTE_ADDR'];
$ipProxy = '';
$ipProxy_label = '';
} else {
$ip = '';
$ipProxy = '';
$ipProxy_label = '';
}

为了使这些动态用于下面的函数或查询/回显/视图,比如日志生成或错误报告,使用全局变量或在任何你想要的地方回显em,而不需要创建大量其他条件或静态模式输出函数。

function fooNow() {
global $ip, $ipProxy, $ipProxy_label;
// begin this actions such as log, error, query, or report
}

谢谢你的好想法。请让我知道如果这可以更好,仍然有点新的这些头:)

小开

我想出了这个函数,它不简单地返回IP地址,而是一个具有IP信息的数组。

// Example usage:
$info = ip_info();
if ( $info->proxy ) {
echo 'Your IP is ' . $info->ip;
} else {
echo 'Your IP is ' . $info->ip . ' and your proxy is ' . $info->proxy_ip;
}

函数如下:

/**
* Retrieves the best guess of the client's actual IP address.
* Takes into account numerous HTTP proxy headers due to variations
* in how different ISPs handle IP addresses in headers between hops.
*
* @since 1.1.3
*
* @return object {
*         IP Address details
*
*         string $ip The users IP address (might be spoofed, if $proxy is true)
*         bool $proxy True, if a proxy was detected
*         string $proxy_id The proxy-server IP address
* }
*/
function ip_info() {
$result = (object) array(
'ip' => $_SERVER['REMOTE_ADDR'],
'proxy' => false,
'proxy_ip' => '',
);


/*
* This code tries to bypass a proxy and get the actual IP address of
* the visitor behind the proxy.
* Warning: These values might be spoofed!
*/
$ip_fields = array(
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'REMOTE_ADDR',
);
foreach ( $ip_fields as $key ) {
if ( array_key_exists( $key, $_SERVER ) === true ) {
foreach ( explode( ',', $_SERVER[$key] ) as $ip ) {
$ip = trim( $ip );


if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) !== false ) {
$forwarded = $ip;
break 2;
}
}
}
}


// If we found a different IP address then REMOTE_ADDR then it's a proxy!
if ( $forwarded != $result->ip ) {
$result->proxy = true;
$result->proxy_ip = $result->ip;
$result->ip = $forwarded;
}


return $result;
}
小开
来自Symfony的Request类 https://github.com/symfony/symfony/blob/1bd125ec4a01220878b3dbc3ec3156b073996af9/src/Symfony/Component/HttpFoundation/Request.php < / p > 
const HEADER_FORWARDED = 'forwarded';
const HEADER_CLIENT_IP = 'client_ip';
const HEADER_CLIENT_HOST = 'client_host';
const HEADER_CLIENT_PROTO = 'client_proto';
const HEADER_CLIENT_PORT = 'client_port';


/**
* Names for headers that can be trusted when
* using trusted proxies.
*
* The FORWARDED header is the standard as of rfc7239.
*
* The other headers are non-standard, but widely used
* by popular reverse proxies (like Apache mod_proxy or Amazon EC2).
*/
protected static $trustedHeaders = array(
self::HEADER_FORWARDED => 'FORWARDED',
self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
);


/**
* Returns the client IP addresses.
*
* In the returned array the most trusted IP address is first, and the
* least trusted one last. The "real" client IP address is the last one,
* but this is also the least trusted one. Trusted proxies are stripped.
*
* Use this method carefully; you should use getClientIp() instead.
*
* @return array The client IP addresses
*
* @see getClientIp()
*/
public function getClientIps()
{
$clientIps = array();
$ip = $this->server->get('REMOTE_ADDR');
if (!$this->isFromTrustedProxy()) {
return array($ip);
}
if (self::$trustedHeaders[self::HEADER_FORWARDED] && $this->headers->has(self::$trustedHeaders[self::HEADER_FORWARDED])) {
$forwardedHeader = $this->headers->get(self::$trustedHeaders[self::HEADER_FORWARDED]);
preg_match_all('{(for)=("?\[?)([a-z0-9\.:_\-/]*)}', $forwardedHeader, $matches);
$clientIps = $matches[3];
} elseif (self::$trustedHeaders[self::HEADER_CLIENT_IP] && $this->headers->has(self::$trustedHeaders[self::HEADER_CLIENT_IP])) {
$clientIps = array_map('trim', explode(',', $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_IP])));
}
$clientIps[] = $ip; // Complete the IP chain with the IP the request actually came from
$firstTrustedIp = null;
foreach ($clientIps as $key => $clientIp) {
// Remove port (unfortunately, it does happen)
if (preg_match('{((?:\d+\.){3}\d+)\:\d+}', $clientIp, $match)) {
$clientIps[$key] = $clientIp = $match[1];
}
if (!filter_var($clientIp, FILTER_VALIDATE_IP)) {
unset($clientIps[$key]);
}
if (IpUtils::checkIp($clientIp, self::$trustedProxies)) {
unset($clientIps[$key]);
// Fallback to this when the client IP falls into the range of trusted proxies
if (null ===  $firstTrustedIp) {
$firstTrustedIp = $clientIp;
}
}
}
// Now the IP chain contains only untrusted proxies and the client IP
return $clientIps ? array_reverse($clientIps) : array($firstTrustedIp);
}
小开

就像之前有人说的,这里的关键在于你为什么想要存储用户的ip。

我将从我工作的注册系统中给出一个例子,当然解决方案只是为了在这个经常出现在我搜索中的旧讨论中贡献一些东西。

许多php注册库使用知识产权来限制/锁定基于用户ip的失败尝试。 考虑这个表:

-- mysql
DROP TABLE IF EXISTS `attempts`;
CREATE TABLE `attempts` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`ip` varchar(39) NOT NULL, /*<<=====*/
`expiredate` datetime NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- sqlite
...

然后,当用户尝试登录或任何与重置密码相关的服务时,在开始时调用一个函数:

public function isBlocked() {
/*
* used one of the above methods to capture user's ip!!!
*/
$ip = $this->ip;
// delete attempts from this ip with 'expiredate' in the past
$this->deleteAttempts($ip, false);
$query = $this->dbh->prepare("SELECT count(*) FROM {$this->token->get('table_attempts')} WHERE ip = ?");
$query->execute(array($ip));
$attempts = $query->fetchColumn();
if ($attempts < intval($this->token->get('attempts_before_verify'))) {
return "allow";
}
if ($attempts < intval($this->token->get('attempts_before_ban'))) {
return "captcha";
}
return "block";
}
例如,$this->token->get('attempts_before_ban') === 10和2个用户来获取与前面代码哪里的标题可以被欺骗中相同的ip,然后在5次尝试后每个两者都被禁止! 更糟糕的是,如果所有用户都来自同一个代理,那么只有前10个用户将被记录,其余的用户将被禁止!< / p >

这里的关键是我们需要在表attempts上有一个唯一的索引,我们可以从如下组合中获得它:

 `ip` varchar(39) NOT NULL,
`jwt_load varchar(100) NOT NULL

,其中jwt_load来自遵循Json web令牌技术的http cookie,其中我们只存储加密有效负载,其中应该包含每个用户的任意/唯一值。 当然,请求应该被修改为:"SELECT count(*) FROM {$this->token->get('table_attempts')} WHERE ip = ? AND jwt_load = ?",类也应该初始化一个private $jwt.

小开

我的回答基本上是@AlixAxel的回答的一个经过润色、完全验证和完全打包的版本:

<?php


/* Get the 'best known' client IP. */


if (!function_exists('getClientIP'))
{
function getClientIP()
{
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"]))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
};


foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key)
{
if (array_key_exists($key, $_SERVER))
{
foreach (explode(',', $_SERVER[$key]) as $ip)
{
$ip = trim($ip);


if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
{
return $ip;
};
};
};
};


return false;
};
};


$best_known_ip = getClientIP();


if(!empty($best_known_ip))
{
$ip = $clients_ip = $client_ip = $client_IP = $best_known_ip;
}
else
{
$ip = $clients_ip = $client_ip = $client_IP = $best_known_ip = '';
};


?>

变化:

  • 它简化了函数名(使用'camelCase'格式样式)。

  • 它包括一个检查,以确保函数没有在代码的另一部分中声明。

  • 它还考虑了“CloudFlare”的兼容性。

  • 它将多个“ip相关”变量名称初始化为'getClientIP'函数的返回值。

  • 它确保如果函数没有返回有效的IP地址,所有变量将被设置为空字符串,而不是null

  • 它只有(45)行代码。

小开

我很惊讶没有人提到filter_input,所以下面是阿利克斯·阿克塞尔的回答压缩成一行:

function get_ip_address(&$keys = ['HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'HTTP_CLIENT_IP', 'REMOTE_ADDR'])
{
return empty($keys) || ($ip = filter_input(INPUT_SERVER, array_pop($keys), FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE))? $ip : get_ip_address($keys);
}
小开

我知道现在回答已经太晚了。但是你可以试试这些方法:

选项1:(使用curl)

$ch = curl_init();


// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, "https://ifconfig.me/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);


// grab URL and pass it to the browser
$ip = curl_exec($ch);


// close cURL resource, and free up system resources
curl_close($ch);


return $ip;

选项2:(适用于mac)

return trim(shell_exec("dig +short myip.opendns.com @resolver1.opendns.com"));

选项3:(只是使用了一个技巧)

return str_replace('Current IP CheckCurrent IP Address: ', '', strip_tags(file_get_contents('http://checkip.dyndns.com')));

https://www.tecmint.com/find-linux-server-public-ip-address/ < / p >

小开

虽然这篇文章很老了,但这个话题仍然值得关注。所以我在我的项目中使用了另一个解决方案。我在这里找到了其他的解决方案,要么不完整,要么太复杂,难以理解。

if (! function_exists('get_visitor_IP'))
{
/**
* Get the real IP address from visitors proxy. e.g. Cloudflare
*
* @return string IP
*/
function get_visitor_IP()
{
// Get real visitor IP behind CloudFlare network
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
$_SERVER['HTTP_CLIENT_IP'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}


// Sometimes the `HTTP_CLIENT_IP` can be used by proxy servers
$ip = @$_SERVER['HTTP_CLIENT_IP'];
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return $ip;
}


// Sometimes the `HTTP_X_FORWARDED_FOR` can contain more than IPs
$forward_ips = @$_SERVER['HTTP_X_FORWARDED_FOR'];
if ($forward_ips) {
$all_ips = explode(',', $forward_ips);


foreach ($all_ips as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)){
return $ip;
}
}
}


return $_SERVER['REMOTE_ADDR'];
}
}

提交答案