PHP only show form if user is connecting from specific IP

Question

On my site I have the ability for users to send a message to me. It's stored just in a mysql database.

The url is something like: www.mysite.com/contact?id=4ijr3943jwswER4we (some random hash on the end as the id)

I have/had the ability that if I go to this url and view the message, then an input box shows and it allows only me to reply to the message directly from that page. It does this by checking if the IP that the user is connecting from is my ip.

I've found that my IP is dynamic and thus whenever my ip gets reassigned, I'm no longer able to see this input form (since I'm now connecting from a different IP).

Is there a way (apart from setting a static IP on my machine) to achieve this same goal? Obviously checking the IP isn't going to be a long term solution, and I've read that you can't grab a users MAC address either.

If it matters, here's the code I've got for checking the IP:

function getClientIP() {

    $ipaddress = '';

    if (isset($_SERVER['HTTP_CLIENT_IP'])) {
        $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
    }
    else if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else if(isset($_SERVER['HTTP_X_FORWARDED'])) {
        $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
    }
    else if(isset($_SERVER['HTTP_FORWARDED_FOR'])) {
        $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
    }
    else if(isset($_SERVER['HTTP_FORWARDED'])) {
        $ipaddress = $_SERVER['HTTP_FORWARDED'];
    }
    else if(isset($_SERVER['REMOTE_ADDR'])) {
        $ipaddress = $_SERVER['REMOTE_ADDR'];
    }
    else {
        $ipaddress = 'UNKNOWN';
    }

    return $ipaddress;
}

And it is checked by:

if((getClientIP() == "::1" || getClientIP() == "<my ip>") {
    // show an input box and submit button
}

Thanks!

Answer 1

Ignoring the blatant disregard security and the fact that I would fire someone for doing this but you could have a &admin=$value in the url. Something like this.

function is_admin() {

    $password = filter_input(INPUT_GET, "password", FILTER_SANITIZE_EMAIL);

    if ($password == "abc123") {
        return TRUE;
    } else {
        return FALSE;
    }
}

so you can replace getClientIP() with is_admin()

if(is_admin()) {
    // show an input box and submit button
}

and then call it like this.

http://www.example.com/contact?id=4ijr3943jwswER4we&admin=abc123

again, this is a horribly insecure solution and you should be using a PKI with ssh port forwarding a VPN connection but this works but I'm a sucker for an easy 10 point answer.

Answer 2

You might try using a free dynamic DNS service. Set up a domain, such as "MINE.COM", and use that instead of your IP. When your IP changes, the dynamic DNS service is supposed to adjust, so that MINE.COM is changed to point to the new IP. Your site can check the client for MINE.COM instead of the IP.

Be warned there is a lag time involved. It could be minutes or hours before "MINE.COM" reflects the updated IP. Plus, most "free" services involve advertising which might render your setup unusable.

Bottom line, without a static IP, you're pretty much hosed. A static IP is certainly possible, but usually costs more, as generally only larger concerns like schools, governments or businesses want or need one.

I suggest you investigate using an alternate method, such as a login form, passwords, sessions, cookies, etc. E.g., login as your admin account, establish a cookie on your device, then the next time you visit the site, it can authenticate your device's cookie.