PHP, MySQL and IP-addresses

Jørn Dahl-Stamnes

I use this code to store the IP addresse:

<?php
$IP = $_SERVER['REMOTE_ADDR'];
$query = "update mytable set ipaddr=inet_aton('$IP') where <some code>";
mysql_query ($query);
?>

When I do a 'select inet_ntoa(ipaddr) from mytable' most of the ip-addesses
shows up correctly, but one showed up as "127.255.255.255", which is
meaningless. Comparing to the log, the IP-address was 195.x.x.x

Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
the actual source of the http request to my server?

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

Mar 11 '06 #1

Andy Jeffries

On Sat, 11 Mar 2006 09:03:03 +0100, Jørn Dahl-Stamnes wrote:

I use this code to store the IP addresse:

<?php
$IP = $_SERVER['REMOTE_ADDR'];
$query = "update mytable set ipaddr=inet_aton('$IP') where <some code>";
mysql_query ($query);
?>

When I do a 'select inet_ntoa(ipaddr) from mytable' most of the
ip-addesses shows up correctly, but one showed up as "127.255.255.255",
which is meaningless. Comparing to the log, the IP-address was 195.x.x.x

Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
the actual source of the http request to my server?

$_SERVER['REMOTE_ADDR'] can be the address of a proxy (maybe in this case
an bad anonymising one). I always check if
$_SERVER["HTTP_X_FORWARDED_FOR"] is set first (most proxies set this
header to the be the originating IP address).

Cheers,
Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

Mar 11 '06 #2

Jørn Dahl-Stamnes

Andy Jeffries wrote:

On Sat, 11 Mar 2006 09:03:03 +0100, Jørn Dahl-Stamnes wrote:

I use this code to store the IP addresse:

<?php
$IP = $_SERVER['REMOTE_ADDR'];
$query = "update mytable set ipaddr=inet_aton('$IP') where <some
code>"; mysql_query ($query);
?>

When I do a 'select inet_ntoa(ipaddr) from mytable' most of the
ip-addesses shows up correctly, but one showed up as "127.255.255.255",
which is meaningless. Comparing to the log, the IP-address was 195.x.x.x

Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
the actual source of the http request to my server?

$_SERVER['REMOTE_ADDR'] can be the address of a proxy (maybe in this case
an bad anonymising one). I always check if
$_SERVER["HTTP_X_FORWARDED_FOR"] is set first (most proxies set this
header to the be the originating IP address).

I found out that it was my own test-server that genereated the
127.255.255.255 adress. But the funny thing is that if I in the php-file
added a 'echo "IP-addr.:" . $_SERVER['REMOTE_ADDR'];' it showed the correct
IP-adresse. But if I called a function from the same php file, which
updated the SQL database with my IP-address, the address had changed to
127.255.255.255. I can't figure out why.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

Mar 11 '06 #3

Jørn Dahl-Stamnes

Jørn Dahl-Stamnes wrote:

I use this code to store the IP addresse:

<?php
$IP = $_SERVER['REMOTE_ADDR'];
$query = "update mytable set ipaddr=inet_aton('$IP') where <some code>";
mysql_query ($query);
?>

When I do a 'select inet_ntoa(ipaddr) from mytable' most of the
ip-addesses shows up correctly, but one showed up as "127.255.255.255",
which is meaningless. Comparing to the log, the IP-address was 195.x.x.x

Is the $_SERVER['REMOTE_ADDR'] safe to use? Can it be something else that
the actual source of the http request to my server?

I found the error. The ipaddr was of type "int" but should have been "int
unsigned" in order to store ip-addresses from 128.0.0.0 and above. So all
ip-addresses above 127.255.255.255, was stored as 127.255.255.255.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

Mar 12 '06 #4