$_SERVER['REMOTE_ADDR'] returns false IP

Question

i am making an anto-fload script for my site. i cant use any service that handles it like fail2ban and his like. my question regarding the $_SERVER['REMOTE_ADDR'] value. is there any way that this function will return a false IP? i heared somewhere that this is possible and want to know how thats happening and what can i do to prevent it? thats my script:

        $ip = $_SERVER['REMOTE_ADDR'];
    $query = "SELECT * from `banned_users` WHERE `ip`='".$ip."'";
    if(mysql_num_rows(mysql_query($query))!=0)die("you have been banned from the site!");

    if(isset($_SESSION['views']) && isset($_SESSION['time']) && $_SESSION['time']>=time()-2)$_SESSION['views']++;
    else {
        $_SESSION['views']=1;
        $_SESSION['time'] = time();
    }   
    if($_SESSION['views']>=15){
        $query = "INSERT into `banned_users` values ('',".time().",'".$ip."') ";
        mysql_query($query);
        die();
    }

as you can see, if the user makes more than 15 refreshes in 2 seconds it bans his from the site. another question i have is regarding the 15 operations, is it a good value? should i lower it? since the hosting i have has bandwidth limits.

thanks.

Answer 1

According to RFC 3875 - The common gateway interface, the value of REMOTE_ADDR MUST being set and being an IPv4 or IPv6 address:

4.1.8. REMOTE_ADDR

   The REMOTE_ADDR variable MUST be set to the network address of the
   client sending the request to the server.

   ...

   The format of an IPv6 address is described in RFC 3513 [15].

The apache SAPI and the cgi SAPI are aiming to be conform with this RFC. So, if you are working with of them, the value MUST being set to a proper value, any behaviour beside this would be a bug.

Answer 2

REMOTE_ADDR is supplied to PHP by the web server. It gets it from the address of the incoming IP request.

It is generally fairly accurate, but:

• It can be spoofed if someone knows what they're doing and really doesn't want to be traced.

• It can also have a misleading value if the user is accessing the site via a proxy -- the address you'll get will be the proxy's address rather than the user's end address. (you may or may not get other $_SERVER fields for the proxy forwarding address, depending on the config of the proxy. And you cannot rely on that being accurate)

• If the user is within their own network, NAT, firewalls, proxies and other networking systems may result in the address that they think of as their IP address may not be the address that is received by your site. You may only ever see a single IP address or a small range of addresses for all users within that network. This would include a lot of (most) businesses (ie people visiting you from their office), and may also include some ISPs, which means that all customers of that ISP may appear to you to be the same IP address, and blocking one of them may block them all.

[can it] get some wierd combination of numbers and dots or NULL or something else not necessarily an IP?

I guess it could contain an IPv6 address. If your code is expecting to only ever see an IPv4 address, that would be a problem. But in general, it would always be a valid IP address (even it it's been spoofed, it would still need to be valid in order for the server to accept the connection).

Answer 3

is there any way that this function will return some wierd combination of numbers and dots or NULL or something else not necessarily an IP?

No.

Answer 4

If user is behind proxy you'll receive this proxy IP in $_SERVER['REMOTE_ADDR'] (real IP should be in $_SERVER['HTTP_X_FORWARDED_FOR'] then, but it depends on specified proxy).

In other cases I think IP from $_SERVER['REMOTE_ADDR'] should be correct.