HTTP_X_FORWARDED_FOR security method for web site for users of the IP test

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

Through a general method, access to user Ip address common security risks (HTTP_X_FORWARDED_FOR),   we have realized direct reading user IP from http_x_forwarded_for, with us directly from a get, post value of reading is not two. One of the basic principles of Web parameters: “ all the inputs are harmful, therefore, as long as it is ” we need to filter the input.

  function getIP() {
	$realip = ''; //Set default values
	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
	} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
		$realip = $_SERVER['HTTP_CLIENT_IP'];
	} else {
		$realip = $_SERVER['REMOTE_ADDR'];

	return $match?$match[0]:false;

The above function, increased IP judgment, only to read the Ip format data first, and the first to meet the IP format value. If you do not return false. So you can read to meet the format IP, validate the data in IP format.

Above us at some sites, often can see the tips, illegal IP address, in fact, part of the IP address format error, part may be read into the IP address, does not meet the above Internet allows IP format. The following function, through the IANA site specification, encapsulates a function. By entering the IP address, can accurately know the IP, is it right? Can be applied in Internet.

//The Internet allows the use of IP address
function ipType2($ip) {
	$iplist = explode(".", $ip);

	if ($iplist[0] >= 224 && $iplist[0] <= 239)
		return 'Multicast';
	if ($iplist[0] >= 240 && $iplist[0] <= 255)
		return 'Retain';

	if (preg_match('/^198\.51\.100/', $ip))
		return 'TEST-NET-2, Documentation and examples';
	if (preg_match('/^203\.0\.113/', $ip))
		return 'TEST-NET-3, Documentation and examples';

	if (preg_match('/^192\.(18|19)\./', $ip))
		return 'Network benchmarking';

	if (preg_match('/^192\.168/', $ip))
		return 'Special network [internal network]';

	if (preg_match('/^192\.88\.99/', $ip))
		return 'Ipv6to4 relay';
	if (preg_match('/^192\.0\.2\./', $ip))
		return 'TEST-NET-1, Documentation and examples';
	if (preg_match('/^192\.0\.0\./', $ip))
		return 'Retain(IANA)';
	if (preg_match('/^192\.0\.0\./', $ip))
		return 'Retain(IANA)';

	if ($iplist[0] == 172 && $iplist[1] <= 31 && $iplist[1] >= 16)
		return 'Special network [internal network]';

	if ($iplist[0] == 169 && $iplist[1] == 254)
		return 'Link local';
	if ($iplist[0] == 127)
		return 'The loopback address';
	if ($iplist[0] == 10)
		return 'Special network [internal network]';
	if ($iplist[0] == 0)
		return 'The network (only as source address legitimate)';

	return 'InterNet network address';

When you enter the IP address, It returns “ ’ InterNet network address ’, So the IP address not only the correct format, But the Internet legal IP address. This function is very complex, In fact, is the exclusion of many non internet IP address. Our common at the beginning of the 192127,10 address estimation are familiar with. But in fact, Many IP addresses are reserved, Or keep it. Not as an Internet IP. There are more than two functions, We can not only read the correct IP address format, Also can ensure that the read is the Internet IP address. The above is often used in the function, Welcome friends´╝ü

Author: chengmo    QQ:8292669 
the URL:  
subscribe to maintain attention:  
in this paper, the copyright belongs to the author, welcome to reprint, please be sure to add text links.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Bennett at October 24, 2013 - 2:14 AM