2
I have to receive Gets with important information, and can only be via GET and not via POST. I was wondering if you have any way to receive the Gets from another server, only if that server had a certain IP.
How can I do that?.
2
I have to receive Gets with important information, and can only be via GET and not via POST. I was wondering if you have any way to receive the Gets from another server, only if that server had a certain IP.
How can I do that?.
7
Use the global variable $_SERVER['REMOTE_ADDR']
It will inform the IP of where the page is being requested. Remember that if you use Cloudflare or some other similar mechanism, it may change the content of $_SERVER['REMOTE_ADDR']
.
In the case of Cloudflare, this happens in the free plan and the original IP that made the request is placed in another variable called $_SERVER['HTTP_CF_CONNECTING_IP']
So the final code would be about that (judging by your needs):
<?php
$requestIP = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : null;
if ($requestIP !== null && $requestIP === '127.0.0.1') {
//seu código aqui
}
Also remember to exchange the IP 127.0.0.1 present in condition for the IP that will be allowed.
4
It is possible yes, PHP allows checking which is the IP of the machine that made the request, however if this is some "security" system, do not do so because the user can simulate an IP using a proxy and so go around the system.
Never trust information sent by the customer, they can be manipulated.
All relevant IP information can be found in the $_SERVER array. The simplest way to get your visitors' IP address is with the following code:
$ip = $_SERVER['REMOTE_ADDR'];
This solution is not entirely accurate, because if the user is on a connection using a proxy server, the IP you will get will be that of the proxy server and not the actual IP address of the user.
You can get more accurate results. Proxy servers bring in the HTTP header a property that stores the original IP. The name of this field is X-Forwarded-For
or Client-Ip
. If one of these fields is present in the HTTP header, then you can read its values through the array $_SERVER
:
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
//Verifica se o IP é permitido
if($ip==xxx.xxx.xxx.xxx) {
//verifica se os dados foram enviados via GET
if(isset($_GET["XPTO"])) {
echo 'O IP é correto e os dados foram enviados via GET!';
}
}
Meanwhile the values of X_Forwarded_For
and Client_Ip
are not 100% reliable as it is possible to manipulate these values. Because of this we cannot only use IP verification for applications and security solutions.
People can simulate an ip that matches the ip of a machine of mine?
@Gonçalo yes, it is possible to simulate any IP.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
That IP, is the IP from where I want to get the right get?
– Gonçalo
If you’re doing
$requestIP === '127.0.0.1'
and$requestIP
is equal tonull
, automatically will not befalse
?– Guilherme Lautert
What is the exact function to grab the IP?
– Gonçalo
@Gonçalo I spoke in reply... The IP of who is making the request does not come in a function but in a variable, the variable $_SERVER['REMOTE_ADDR'].
– Clayderson Ferreira
@Guilhermelautert psé, it’s customary, but it doesn’t change anything, besides, it can be adapted to put a list of Ips instead of just one.
– Clayderson Ferreira
Tell me something, the user can manipulate the ip, so that it is the same as the server?
– Gonçalo
@Gonçalo if the connection is made using the internet, no. If it is on the intranet, yes. This happens because there can be no more than one machine connected on the same network with the same IP and, the internet is a network.
– Clayderson Ferreira
I do not understand very well, the user can put his ip equal to the machine?
– Gonçalo
I can’t find simpler words to explain. If you want to guarantee the authenticity of the $_GET request, you can send along with it a key, which would be secret. The key would be nothing more, nothing less than a new value passed via $_GET which you would have to check on the target server, example: http://exemplo.com.br/? name=clayderson&key=109390123, remembering that this only applies to requests made by a server, which users will not be able to see.
– Clayderson Ferreira
Right, so I can do a check if the key and ip are the same as found, so the right get?
– Gonçalo
Yeah, that’s right.
– Clayderson Ferreira
@Claydersonferreira the use of the key is useless if it is not random, if it is always the same little will change. The best thing would be for him to explain the objective to help with a possible solution.
– Filipe Moraes
@Filipemoraes if used in the right way will be as effective as any other proposed solution.
– Clayderson Ferreira