Is it safe to trust $_SERVER['REMOTE_ADDR']?

php security ip-address
Silver Light picture Silver Light · Jan 23, 2011 · Viewed 53.4k times · Source

Is it safe to trust $_SERVER['REMOTE_ADDR']? Can it be substituted by changing the header of request or something like that?

Is it safe to write something like that?

if ($_SERVER['REMOTE_ADDR'] == '222.222.222.222') { // my ip address
    $grant_all_admin_rights = true;
}

Answer

sagi picture sagi · Jan 23, 2011

Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.

One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you Encrypt and Decrypt a PHP String?

What I mean is: Original String + Salt or Key --> Encrypted String Encrypted String + Salt or Key --> Decrypted (Original String) Maybe something like: "hello world!" + "ABCD1234" --> Encrypt --> "2a2ffa8f13220befbe30819047e23b2…

Read More