如何跟踪IP以阻止恶意用户？ [英] How can I track IPs to block malicious users?

查看：159 发布时间：2017/3/17 19:28:28 php database security http ip

本文介绍了如何跟踪IP以阻止恶意用户？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这是一些获取用户IP的理论

Theory1：如果不使用负载均衡器，请使用 REMOTE_ADDR 。如果使用负载均衡器，请使用任何它使用的。在99％的情况下，似乎 HTTP_X_FORWARDED_FOR 。所以：

  function get_ip_address（）{
 $ id =''; 
 if（isset（$ _ SERVER ['REMOTE_ADDR']））
 $ ip = $ _SERVER ['REMOTE_ADDR']; 
 else if（isset（$ _ SERVER ['HTTP_X_FORWARDED_FOR']））
 $ ip = $ _SERVER ['HTTP_X_FORWARDED_FOR']; 
 else 
 $ ip ='UNKNOWN'; 
 return $ ip; 
}

Theory2：可能包含IP的（即 $ _ SERVER ['HTTP _...] ）所以：

  function get_ip_address（）{
 foreach（array（'HTTP_CLIENT_IP'，'HTTP_X_FORWARDED_FOR'，'HTTP_X_FORWARDED' ，'HTTP_X_CLUSTER_CLIENT_IP'，'HTTP_FORWARDED_FOR'，'HTTP_FORWARDED'，'REMOTE_ADDR'）as $ key）{
 if（array_key_exists（$ key，$ _SERVER）=== true）{
 foreach '，'，$ _SERVER [$ key]）as $ ip）{
 $ ip = trim（$ ip）; //为了安全
 if（filter_var（$ ip，FILTER_VALIDATE_IP，FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE）！== false）{
 return $ ip; 
} 
} 
} 
} 
}

$ b b

Theory3：存储 $ _ SERVER ['HTTP _...] 和 $ _ SERVER [ REMOTE_ADDR'] 。所以有两个变量：

  function get_ip_address（）{
 foreach（array（'HTTP_CLIENT_IP'，'HTTP_X_FORWARDED_FOR' ，'HTTP_X_FORWARDED'，'HTTP_X_CLUSTER_CLIENT_IP'，'HTTP_FORWARDED_FOR'，'HTTP_FORWARDED'）as $ key）{
 if（array_key_exists（$ key，$ _SERVER）=== true）{
 foreach '，'，$ _SERVER [$ key]）as $ ip2）{
 $ ip2 = trim（$ ip2）; //只是为了安全
 if（filter_var（$ ip2，FILTER_VALIDATE_IP，FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE）！== false）{
 $ ip1 = $ _SERVER ['REMOTE_ADDR']; 
 return array（$ ip2，ip1）; 
} 
} 
} 
} 
}

$ b b

老实说，我很困惑。我需要存储用户的IP多少列？（在数据库中）我的意思是，我应该存储 REMOTE_ADDR 和 HTTP _... ？

实际上，我有一个查询，在数据库中每个页面加载时插入用户的IP。这样查询将在每次加载页面之前执行。当然， INSERT 查询（每次请求和每个用户）有一笔费用。所以我不想它是无用的。我的意思是我要存储一个正确的/真正的IP，或至少我想做最好的工作，这是可能的检测用户的IP *。

^{*当用户使用像HSS的代理，然后检测他将是不可能的。这就是为什么我说至少。}

好，哪个理论是最好的？

解决方案

您需要决定何时存储IP，无论您是否信任发送 X-FORWARDED-FOR 地址。如果这样做，则存储转发的地址，否则存储远程地址。所以它可能是这样：

  $ load_balancer = '10 .20.30.40'; 
 $ ip = $ _SERVER ['REMOTE_ADDR']; 
 if（isset（$ _ SERVER ['X_FORWARDED_FOR']&& $ ip = $ load_balancer）{
 $ ip = $ _SERVER ['X_FORWARDED_FOR']; 
} 
 
然后在数据库中记录 $ ip  
 
 
 我在数据库中存储负载均衡器IP时没有看到任何点。在处理数据库数据时执行信任检查需要你有另一个表，负载平衡器IP在不同的时间段。
 
Here is a few theories to get user's IP

Theory1: If you don't use a load balancer, use REMOTE_ADDR. If you use a load balancer, use whatever it uses. In 99% of cases that appears to be HTTP_X_FORWARDED_FOR. So:
function get_ip_address(){
    $id = '';
    if (isset($_SERVER['REMOTE_ADDR']))
        $ip = $_SERVER['REMOTE_ADDR']; 
    else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; 
    else
        $ip = 'UNKNOWN';
    return $ip;
}
Theory2: There is some other HTTP header information (ie. $_SERVER['HTTP_...]) which might be containing the IP. So:
function get_ip_address(){
    foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
        if (array_key_exists($key, $_SERVER) === true){
            foreach (explode(',', $_SERVER[$key]) as $ip){
                $ip = trim($ip); // just to be safe
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                    return $ip;
                }
            }
        }
    }
}
Theory3: Storing both one of $_SERVER['HTTP_...] and $_SERVER['REMOTE_ADDR']. So there is two variables:
function get_ip_address(){
    foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED') as $key){
        if (array_key_exists($key, $_SERVER) === true){
            foreach (explode(',', $_SERVER[$key]) as $ip2){
                $ip2 = trim($ip2); // just to be safe
                if (filter_var($ip2, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                    $ip1 = $_SERVER['REMOTE_ADDR'];
                    return array($ip2, ip1);
                }
            }
        }
    }
}




Well honestly I'm confused a little bit. How many column (in the database) do I need to store the user's IP? I mean should I store both REMOTE_ADDR and a HTTP_...? Or just one of them?

Actually I have a query which inserts the user's IP per each page loading in the database. So that query will be executed every time before loading of the page. Surely an INSERT query (everytime for each request, and each user) has a cost. So I don't want it be useless. I mean I want to store a correct/real IP  or at least I want to do the best work which is possible to detect the user's IP * .

^{* When an user uses a proxy like HSS then detecting him would be impossible. That's why I said "at least".}

Ok well, which theory is the best? 
 解决方案 
You need to decide when you're storing the IP whether you trust the remote address that's sending the X-FORWARDED-FOR address. If you do, then you store the forwarded address, otherwise you store the remote address. So it could be like this:
$load_balancer = '10.20.30.40';
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['X_FORWARDED_FOR'] && $ip = $load_balancer) {
    $ip = $_SERVER['X_FORWARDED_FOR'];
}
Then log $ip in the database.

I don't see any point in storing the load balancer IP in the database as well. Performing the trust check when processing the database data would require you to have another table that says what the load balancer IP was during different time periods.

                        这篇关于如何跟踪IP以阻止恶意用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！


                    
                        查看全文

如何跟踪IP以阻止恶意用户？ [英] How can I track IPs to block malicious users?

问题描述

相关文章

PHP最新文章

热门教程

热门工具

登录关闭

如何跟踪IP以阻止恶意用户？ [英] How can I track IPs to block malicious users?

问题描述

相关文章

PHP最新文章

热门教程

热门工具

登录 关闭

登录关闭