I'm trying to create a php counter, and in order not to count repeated visits from the same visitor, I've been thinking about saving the visitor's IP address into the database, and I should turn to $_SERVER
I've read this sample funtion by @Dusza that seems nice and convenient:
<?php
function get_IP() {
// ADDRESS IP
if (getenv('HTTP_CLIENT_IP')) $ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR')) $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED')) $ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR')) $ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED')) $ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR')) $ipaddress = getenv('REMOTE_ADDR');
else $ipaddress = 'UNKNOWN';
//return $ipaddress;
}
?>
But I've done some research here, and found that there's a security hole in that because the user can spoof all values except REMOTE_ADDR, which can be modified by a proxy.
So I guess that when they say that there's a security hole, it means that I should sanitize the user's input when I insert it into the database doing some bindings.
Is there any other precaution?
Given that all other values are unreliable I should avoid using them altogether?
But what about the un-spoffing value of REMOTE_ADDR? That can be modified by a proxy.
Any suggestions on what path should I take?
If you want to downvote, or vote the question to be closed or deleted, please leave me a comment about why, so I can improve my questions. Thanks.
