The general method of obtaining user Ip address common security risks (HTTP_X_FO

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

This comes from a number of projects, access to the user Ip, user behavior records, is a common and frequently used. General friends, will see the following general IP address acquisition method.

function getIP() { 
	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
		$realip = $_SERVER['HTTP_X_FORWARDED_FOR']; 
	} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { 
		$realip = $_SERVER['HTTP_CLIENT_IP']; 
	} else { 
		$realip = $_SERVER['REMOTE_ADDR']; 
		return $realip; 

This is online common acquisition, IP function, IP was obtained by using these values, we should first make clear, the data is coming from that place.

1.’REMOTE_ADDR’  Is the remote IP, the default from the TCP connection, the client Ip. Can say, it is the most accurate, sure, only will be directly connected to server client IP. If the other party the Internet through a proxy server, found. Access to the proxy server IP is.

Such as: a-> B (proxy) -> c , if C through ’ REMOTE_ADDR’, only B access to the IP, to obtain less than a IP.

In addition to tamper with the IP: will be very difficult to achieve, in the transfer of know generated PHP server value, are generated directly.

2.’HTTP_X_FORWARDED_FOR’, ’HTTP_CLIENT_IP’ In order to large networks, access to the user IP, or the IP address. The HTTp protocol is extended. Define the entity header.

HTTP_X_FORWARDED_FOR = clientip,proxy1,proxy2  All IP &rdquo, ” segmentation. HTTP_CLIENT_IP in advanced anonymous proxy, this represents a IP proxy server. Since the HTTP protocol extension of an entity, and this value is the trust for the incoming end, trust afferent input in accordance with rule format. The following x_forword_for example, under normal circumstances, the value change process.


Through the analysis we found just, actually these variables, from the HTTP request: x-forword-for field and client-ip field. A normal proxy server, will of course according to RFC specification into these values. However, when a user to directly construct the value x-forword-for, sent to the user, it will happen?



The second step, modify the value of x-forword-fox, we have a look the


The third step, we'll have a look what changes?


Ha ha, see the above results not, x-forwarded-for not only can set up their own value, and can set arbitrary format value. In this way, like just one can write arbitrary values of the field. And the server directly read, or written to the database, or display. It will bring danger, with the average of input without any filtering detection, between the operating data source as a result. And easy to bring hidden.

The above getip functions, in addition to the client can be counterfeited IP, and can be passed any format IP. Such findings will lead to 2 problems, first, if you set a page, IP constraints. The other can easily modify the IP continual requests for the page. Secondly, this kind of data if you directly use, will bring the SQL registration, cross - site scripting vulnerability. For one, can be limited in business, it is best not to use IP limits. The second, this class can bring huge network risk. We must correct.

Need to modify the getip, get the getip function security.

This kind of problem, in fact, very easy, I will use this for a vote before the disguise. There it is hidden, in fact, as long as we clear the sequence of events, some of the values. Understand the principle, it will be very easy to repair the bug.

Digression, technical, there are three steps, the first to do, will solve; why do so after thinking, what is the reason of principle; finally is how to do, there is no other way. Ask yourself, you find the truth more and more close distance technique. You will work more and more handy´╝ü

Author: chengmo    QQ:8292669 
the URL:  
subscribe to maintain attention:  
in this paper, the copyright belongs to the author, welcome to reprint, please be sure to add text links.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by York at October 24, 2013 - 12:49 AM