集合 $_SERVER['HTTP_CLIENT_IP'] 的值是否为空字符串? [英] Will the value of a set $_SERVER['HTTP_CLIENT_IP'] be an empty string?

问题描述

我有一个简单的脚本来确定用户的 IP 地址:

I have a simple script which determines the user's IP address:

function GetIp(){
      if (!empty($_SERVER['HTTP_CLIENT_IP']))
      //check ip from share internet
      {
        $ip=$_SERVER['HTTP_CLIENT_IP'];
      }
      elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
      //to check ip is pass from proxy
      {
        $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
      }
      else
      {
        $ip=$_SERVER['REMOTE_ADDR'];
      }
      return $ip;
}

现在在网上某处我看到有人使用这个脚本:

Now on the Net somewhere I saw someone using this script:

if (isset($_SERVER['HTTP_CLIENT_IP']) && $_SERVER['HTTP_CLIENT_IP'] != '')
        $Ip = $_SERVER['HTTP_CLIENT_IP'];
    elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '')
        $Ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '')
        $Ip = $_SERVER['REMOTE_ADDR'];

我想知道我的实现是否有问题..我是否需要检查 $_SERVER['HTTP_CLIENT_IP'], $_SERVER['HTTP_X_FORWARDED_FOR'] 或 $_SERVER['REMOTE_ADDR'] 为空?或者实际上没有必要这样做?

I was wondering if my implementation is broken.. Do I need to check if the value of $_SERVER['HTTP_CLIENT_IP'], $_SERVER['HTTP_X_FORWARDED_FOR'], or $_SERVER['REMOTE_ADDR'] is empty? Or is it actually unnecessary to do so?

推荐答案

如果你想找出客户端 IP 地址的原因真的很重要，那就搞砸这一切.

If the reason why you want to find out the client's IP address is really important, screw all this stuff.

这些标头值中的任何一个都可以随意伪造.

REMOTE_ADDR 是唯一真正可靠的信息，因为它是由处理请求的网络服务器传输给您的.理论上它也可以伪造，但这比欺骗标题值要困难得多，而且是一个完全不同的类攻击.

REMOTE_ADDR is the only really reliable information, as it is transmitted to you by your web server that is handling the request. It can be theoretically falsified as well, but that is much, much harder than spoofing a header value, and an entirely different class of attack.

在反向代理背后的非常非常具体的托管环境中存在例外情况.在这些情况下，管理该代理的人员将能够告诉您需要测试什么标头值.

There are exceptions in very, very specific hosting environments behind reverse proxies. In those cases the person administering that proxy will be able to tell what header value you need to test for.

这篇关于集合 $_SERVER['HTTP_CLIENT_IP'] 的值是否为空字符串?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！