As only receive gets from a certain IP

Question

As only receive gets from a certain IP

Asked 8 years, 3 months ago

Viewed 307 times

2

I have to receive Gets with important information, and can only be via GET and not via POST. I was wondering if you have any way to receive the Gets from another server, only if that server had a certain IP.

How can I do that?.

2 answers

7

Use the global variable $_SERVER['REMOTE_ADDR']

It will inform the IP of where the page is being requested. Remember that if you use Cloudflare or some other similar mechanism, it may change the content of $_SERVER['REMOTE_ADDR'].

In the case of Cloudflare, this happens in the free plan and the original IP that made the request is placed in another variable called $_SERVER['HTTP_CF_CONNECTING_IP']

So the final code would be about that (judging by your needs):

<?php

$requestIP = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : null;

if ($requestIP !== null && $requestIP === '127.0.0.1') {
    //seu código aqui
}

Also remember to exchange the IP 127.0.0.1 present in condition for the IP that will be allowed.

That IP, is the IP from where I want to get the right get?

– Gonçalo

2016/03/21 at 11:20
If you’re doing $requestIP === '127.0.0.1' and $requestIP is equal to null, automatically will not be false?

– Guilherme Lautert

2016/03/21 at 11:23
What is the exact function to grab the IP?

– Gonçalo

2016/03/21 at 11:44
@Gonçalo I spoke in reply... The IP of who is making the request does not come in a function but in a variable, the variable $_SERVER['REMOTE_ADDR'].

– Clayderson Ferreira

2016/03/21 at 11:55
@Guilhermelautert psé, it’s customary, but it doesn’t change anything, besides, it can be adapted to put a list of Ips instead of just one.

– Clayderson Ferreira

2016/03/21 at 11:56
Tell me something, the user can manipulate the ip, so that it is the same as the server?

– Gonçalo

2016/03/21 at 12:01
@Gonçalo if the connection is made using the internet, no. If it is on the intranet, yes. This happens because there can be no more than one machine connected on the same network with the same IP and, the internet is a network.

– Clayderson Ferreira

2016/03/21 at 12:10
I do not understand very well, the user can put his ip equal to the machine?

– Gonçalo

2016/03/21 at 12:10
I can’t find simpler words to explain. If you want to guarantee the authenticity of the $_GET request, you can send along with it a key, which would be secret. The key would be nothing more, nothing less than a new value passed via $_GET which you would have to check on the target server, example: http://exemplo.com.br/? name=clayderson&key=109390123, remembering that this only applies to requests made by a server, which users will not be able to see.

– Clayderson Ferreira

2016/03/21 at 12:13
Right, so I can do a check if the key and ip are the same as found, so the right get?

– Gonçalo

2016/03/21 at 12:16
Yeah, that’s right.

– Clayderson Ferreira

2016/03/21 at 12:20
@Claydersonferreira the use of the key is useless if it is not random, if it is always the same little will change. The best thing would be for him to explain the objective to help with a possible solution.

– Filipe Moraes

2016/03/21 at 14:33
@Filipemoraes if used in the right way will be as effective as any other proposed solution.

– Clayderson Ferreira

2016/03/21 at 14:46

Show 8 more comments

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by Filipe Moraes • **8,737** points · Answer 1 · 2016-03-21T11:19:30+00:00

It is possible yes, PHP allows checking which is the IP of the machine that made the request, however if this is some "security" system, do not do so because the user can simulate an IP using a proxy and so go around the system.

Never trust information sent by the customer, they can be manipulated.

All relevant IP information can be found in the $_SERVER array. The simplest way to get your visitors' IP address is with the following code:

$ip = $_SERVER['REMOTE_ADDR'];

This solution is not entirely accurate, because if the user is on a connection using a proxy server, the IP you will get will be that of the proxy server and not the actual IP address of the user.

You can get more accurate results. Proxy servers bring in the HTTP header a property that stores the original IP. The name of this field is X-Forwarded-For or Client-Ip. If one of these fields is present in the HTTP header, then you can read its values through the array $_SERVER:

if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
    $ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}

//Verifica se o IP é permitido
if($ip==xxx.xxx.xxx.xxx) {
    //verifica se os dados foram enviados via GET
    if(isset($_GET["XPTO"])) {
        echo 'O IP é correto e os dados foram enviados via GET!';
    }
}

Meanwhile the values of X_Forwarded_For and Client_Ip are not 100% reliable as it is possible to manipulate these values. Because of this we cannot only use IP verification for applications and security solutions.