You need also to know that $_SERVER['SERVER_NAME'] and surely $_SERVER['PHP_SELF'] are fakeable by sending wrong HTTP headers (hint: "Host:" will become SERVER_NAME in your PHP scripts). For PHP_SELF you may want to use SCRIPT_NAME instead.
You may want to use this little code to continue using PHP_SELF:
$_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME']; $PHP_SELF = $_SERVER['PHP_SELF']
The last one is for people who cannot switch "register_global" off.
There is now "secure" replacement for SERVER_NAME available. Sometimes SERVER_ADDR (which not fakeable) might be handy but in some situations not. If you need a valid entry in SERVER_NAME validate it with a regular expressions. See regexlib.com for such expressions.
getenv
(PHP 4, PHP 5)
getenv — 環境変数の値を取得する
説明
string getenv ( string varname )varname が示す環境変数の値を返し、 エラーの場合はFALSEを返します。
// getenv() の使用例
$ip = getenv('REMOTE_ADDR');
// または単純にスーパーグローバル($_SERVER または $_ENV)を用いる
$ip = $_SERVER['REMOTE_ADDR'];
phpinfo() を使用して全ての環境変数の一覧を見る ことができます。 » CGI specification 、特に » 環境変数のページを参照すること により、それらの参照する環境変数の役割の多くを知ることができます。
putenv(), apache_getenv() そして スーパーグローバル も参照ください。
getenv
roland at mxchange dot org
05-Jan-2007 03:29
05-Jan-2007 03:29
kev at kevinhebert dot com
28-Sep-2006 06:34
28-Sep-2006 06:34
This came in really handy, I looked everywhere on the Internet for a simple answer to this and the
solution turned out to be pleasantly simple.
Let's say you have a secure server. You want everyone to use this secure server every time they access.
But, you don't want to cut off http access entirely because people do forget to type that in the address bar.
Just stick this at the top of your PHP script or in your header file:
if (!$_SERVER["HTTPS"]) {
header("Location: https://your.secure.server.com/\n\n");
exit;
}
I am testing this now but so far it works great, how would all of you all normally handle this
(without forcing .htaccess passwords and doing the redirect that way, just for general users)?
I tried web searches along the lines of "apache http https in different directories" and
"force https access redirect apache" but nothing really worked as simply as this did.
svpe (at] gmx {dot) net
21-Dec-2005 01:35
21-Dec-2005 01:35
I've read all the comments here.
Most of you trust that HTTP_X_FORWARDED_FOR is the real ip address of the user.
But it can easily be faked by sending a wrong HTTP request.
REMOTE_ADDR does contain the 'real' ip address (maybe of the proxy server but it cannot be faked as easy as X_FORWARDED_FOR)
So if you rely on checking the visitor by it's ip address validate _both_ $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'].
shane at 007Marketing
26-Aug-2005 07:42
26-Aug-2005 07:42
I am just starting to try to tackle this issue of getting the real ip address.
One flaw I see in the preceding notes is that none will bring up a true live ip address when the first proxy is behind a nat router/firewall.
I am about to try and nut this out but from the data I see so far the true ip address (live ip of the nat router) is included in $_SERVER['HTTP_CACHE_CONTROL'] as bypass-client=xx.xx.xx.xx
$_SERVER['HTTP_X_FORWARDED_FOR'] contains the proxy behind the nat router.
$_SERVER['REMOTE_ADDR'] is the isp proxy (from what I read this can be a list of proxies if you go through more than one)
I am not sure if bypass-client holds true when you get routed through several proxies along the way.
renko at <remove>virtual-life dot net
08-Nov-2004 11:40
08-Nov-2004 11:40
The function 'getenv' does not work if your Server API is ASAPI (IIS).
So, try to don't use getenv('REMOTE_ADDR'), but $_SERVER["REMOTE_ADDR"].
mkaman at aldeafutura dot com
23-Apr-2004 10:33
23-Apr-2004 10:33
I think there is a better way to determine a correct ip. This is based in the fact that the private ip's for lan use are described in RFC 1918.
So all we have to do is get an ordered array of ip's and take the first ip that doesn't is a private ip.
//List of the private ips described in the RFC. You can easily add the
//127.0.0.0/8 to this if you need it.
$ip_private_list=array(
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
);
//Determine if an ip is in a net.
//E.G. 120.120.120.120 in 120.120.0.0/16
//I saw this in another post in this site but don't remember where :P
function isIPInNet($ip,$net,$mask) {
$lnet=ip2long($net);
$lip=ip2long($ip);
$binnet=str_pad( decbin($lnet),32,"0","STR_PAD_LEFT" );
$firstpart=substr($binnet,0,$mask);
$binip=str_pad( decbin($lip),32,"0","STR_PAD_LEFT" );
$firstip=substr($binip,0,$mask);
return(strcmp($firstpart,$firstip)==0);
}
//This function check if a ip is in an array of nets (ip and mask)
function isIpInNetArray($theip,$thearray)
{
$exit_c=false;
#print_r($thearray);
foreach ( $thearray as $subnet ) {
list($net,$mask)=split("/",$subnet);
if(isIPInNet($theip,$net,$mask)){
$exit_c=true;
break;
}
}
return($exit_c);
}
//Building the ip array with the HTTP_X_FORWARDED_FOR and
//REMOTE_ADDR HTTP vars.
//With this function we get an array where first are the ip's listed in
//HTTP_X_FORWARDED_FOR and the last ip is the REMOTE_ADDR.
//This is inspired (copied and modified) in the function from daniel_dll.
function GetIpArray()
{
$cad="";
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND
$_SERVER['HTTP_X_FORWARDED_FOR']!="")
$cad=$_SERVER['HTTP_X_FORWARDED_FOR'];
if(isset($_SERVER['REMOTE_ADDR']) AND
$_SERVER['REMOTE_ADDR']!="")
$cad=$cad.",".$_SERVER['REMOTE_ADDR'];
$arr= explode(',',$cad);
return $arr;
}
//We check each ip in the array and we returns the first that is not a
//private ip.
function getIp()
{
global $ip_private_list;
$ip = "unknown";
$ip_array=getIpArray();
foreach ( $ip_array as $ip_s ) {
if( $ip_s!="" AND !isIPInNetArray($ip_s,$ip_private_list)){
$ip=$ip_s;
break;
}
}
return($ip);
}
mayday at tria dot lv
20-Apr-2004 03:00
20-Apr-2004 03:00
daniele_dll:
Your function hase a bug!
If You check this IPs:
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
$_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.2,127.0.0.3';
the function will return this:
Array
(
[0] => 127.0.0.1
[1] => 127.0.0.3
)
Yes, the first element from 'HTTP_X_FORWARDED_FOR' is lost.
The only fixes you need to make is to move down one line.
This is the correct way:
<?php
function get_ip_list() {
$tmp = array();
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && strpos($_SERVER['HTTP_X_FORWARDED_FOR'],',')) {
$tmp += explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$tmp[] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$tmp[] = $_SERVER['REMOTE_ADDR'];
return $tmp;
}
?>
kyong
04-Feb-2004 06:06
04-Feb-2004 06:06
As you know, getenv('DOCUMENT_ROOT') is useful.
However, under CLI environment(I tend to do quick check
if it works or not), it doesn't work without modified php.ini
file. So I add "export DOCUMENT_ROOT=~" in my .bash_profile.
Joenema at aol dot com
29-May-2003 07:25
29-May-2003 07:25
This is just a reply to Anders Winther's fool-proof IP address fetcher.
What he has is good, but uses a lot of superfluous lines. Basically, he could have done this:
function getIP() {
$ip;
if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");
else $ip = "UNKNOWN";
return $ip;
}
Do you see how those numerous lines of code compressed into a few lines?
daman at SPAM_BlockERmralaska dot com
08-Sep-2002 10:37
08-Sep-2002 10:37
Be careful using HTTP_X_FORWARDED_FOR in conditional statements collecting the IP address. Sometimes the user's LAN address will get forwarded, which of course is pretty worthless by itself.
alex at acid-edge dot net
24-Jul-2002 02:32
24-Jul-2002 02:32
Note that some caches seem to send the client-ip header *backwards*. be careful :)
john-php at pc dot xs4all dot nl
16-Aug-2000 10:56
16-Aug-2000 10:56
Note that the X-Forwarded for header might contain multiple addresses, comma separated, if the request was forwarded through multiple proxies.
Finally, note that any user can add an X-Forwarded-For header themselves. The header is only good for traceback information, never for authentication. If you use it for traceback, just log the entire X-Forwarded-For header, along with the REMOTE_ADDR.
sorry at spammed dot nut
12-Jul-1999 11:43
12-Jul-1999 11:43
To show a use of getenv("QUERY_STRING")....
suppose you have a site with frames... the frames create the "interface", and one frame called "main" has an active document... now, suppose you made a page.php3 which took an argument "pg" and spit out the framesets necessary, with "main" frame containing whatever "pg" is... so now you can bring up any page in your site with page.php3?pg=test.html
now, take this one step further, and suppose you want outside links to point to php3 pages which takes parameters, ON your site... but you still want them to appear in frames, so what do you do? well, if "ok.php3" was the page you wanted to show, and it was requested as "ok.php3?some=params&go=here", then the very thing in the beginning of ok.php3 could be
if (!isset($inframe)) {
header("Location: http://yoursite/page.php3?pg=".urlencode("inframes=1&").getenv("QUERY_STRING"));
exit;
}
Now... you might ask, how in the world did I come up with THAT? Well, perhaps it was because I came here not able to remember which environment variable held the query string...