|
Posted by Jochem Maas on 10/16/03 11:34
Dave Carrera wrote:
> Jay Blanchard wrote:
>
>> [snip]
>> Is there a way of sending users with a local ip address say 127.0.0.1
>> and 192.168.xxx.xxx to goto one page and all other visitors to goto
>> another?
>> [/snip]
>>
>>
.....
>>
> snip from TFM
>
> 'HTTP_REFERER'
>
> The address of the page (if any) which referred the user agent to
> the current page. This is set by the user agent. Not all user agents
> will set this, and some provide the ability to modify HTTP_REFERER
> as a feature. In short, it cannot really be trusted.
>
> notice the last 7 words !!!!
I'm sure Jay is well aware of that issue - I'll expand the concept for you...
every freaking bit (as in 8 bits make a byte) sent to your script from a
user agent (e.g. your browser) cannot _really_ be trusted (what so f***ing ever).
BUT HTTP_REFERER is not what you want I think ... because that gives you the
domain/ip of the server which referred the visitor to your page and not the domain/ip
of the client.
consider that there might a better/safer solution at the level of the
webserver (e.g. virtual hosts combined with conditionally set env vars) or at
the level of the networking subsystem of your server (e.g. seperate interface for
local subnet traffic?).
also you might find something useful in the couple of IP related
functions I include below....
/* Determine if an ip is in a net.
* E.G. 120.120.120.120 in 120.120.0.0/16
*/
function isIPInSubnet($ip, $net, $mask)
{
$firstpart = substr(str_pad(decbin(ip2long($net)), 32, "0", STR_PAD_LEFT) ,0 , $mask);
$firstip = substr(str_pad(decbin(ip2long($ip)), 32, "0", STR_PAD_LEFT), 0, $mask);
return (strcmp($firstpart, $firstip) == 0);
}
/* This function check if a ip is in an array of nets (ip and mask) */
function isPrivateIP($theip)
{
foreach (array("10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16") as $subnet)
{
list($net, $mask) = explode('/', $subnet);
if(isIPInSubnet($theip,$net,$mask)) {
return true;
}
}
return false;
}
/* Building the ip array with the HTTP_X_FORWARDED_FOR and REMOTE_ADDR HTTP vars.
* With this function we get an array where first are the ip's listed in
* HTTP_X_FORWARDED_FOR and the last ip is the REMOTE_ADDR
*/
function getRequestIPs()
{
$ipList = array();
foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_FORWARDED_FOR', 'REMOTE_ADDR') as $key) {
if (isset($_SERVER[$key]) && $_SERVER[$key]) {
$ipList = array_merge($ipList, explode(',', $_SERVER[$key]));
break;
}
}
return $ipList;
}
/* try hard to determine whAt the users/clients public IP address is */
function getRequestIP($allowPrivIPs = false)
{
foreach (getRequestIPs() as $ip) {
if($ip && ($allowPrivIPs === true || !isPrivateIP($ip))) {
return $ip;
}
}
return 'unknown';
}
>
[Back to original message]
|