PHP - 500 Points - Explain this ip code

Hi, can someone please explain this php code to get a user's ip address and if
they are using a proxy, the proxy address.

And if the below code is robust and good practice,

thanks

<?php

if (getenv(HTTP_X_FORWARDED_FOR))
{
  $ip=getenv(HTTP_X_FORWARDED_FOR);
    echo $ip;
}
else
if (getenv(HTTP_CLIENT_IP))
{
  $ip=getenv(HTTP_CLIENT_IP);
    echo $ip;
}
else
{
  $ip=getenv(REMOTE_ADDR);
  echo $ip;
}

?>
babyboy808Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gamebitsCommented:
Hi babyboy808,

If you don't mind a little bit of reading this page will teach you a lot about what you are trying to do.

http://ca.php.net/manual/en/function.getenv.php

Gamebits
babyboy808Author Commented:
Eh actually I do gamebits, only messing :)

Read a bit, but am still a bit in the dark :|

ksecorCommented:
Let's take this line by line:
<?php

if (getenv(HTTP_X_FORWARDED_FOR))
//getenv gets the environmental variable which you probably know...HTTP_X_FORWARDED_FOR is ip of the nat proxy. //Nat stands for network address translation...so it's the proxy address behind the router.
{
  $ip=getenv(HTTP_X_FORWARDED_FOR);
    echo $ip;
}
else
if (getenv(HTTP_CLIENT_IP))
{
  $ip=getenv(HTTP_CLIENT_IP);
//$HTTP_CLIENT_IP  does a very similar thing as http_x_forwarded as it passes extra headers put in by some proxies to //pass on the real ip address of the connecting machine
    echo $ip;
}
else
{
  $ip=getenv(REMOTE_ADDR);
//REMOTE_ADDR is the least reliable of the three. It's the ISP proxy.
  echo $ip;
}
So what is the best practice? Well, You seem to have a good start as you are extracting each piece of potential data. I'd use $_SERVER instead of getenv in case of an IIS (Windows server) and I'd do it in one line just in case...something like:
if ($_SERVER['HTTP_X_FORWARDED_FOR'] && $_SERVER['HTTP_CLIENT_IP'] && $_SERVER['REMOTE_ADDR'])

                              Hope that helps!
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

babyboy808Author Commented:
Thanks ksecor,

Ok so to be IIS compatible, could you explain this, cheers

if ($_SERVER['HTTP_X_FORWARDED_FOR'] && $_SERVER['HTTP_CLIENT_IP'] && $_SERVER['REMOTE_ADDR'])

i think 'HTTP_X_FORWARDED_FOR = proxy?
this HTTP_CLIENT_IP = ?????
and this is REMOTE_ADDR = get the ip?

thanks again
ksecorCommented:
Ok, the asapi (Internet Server Application Programming Interface)  for iis has filters and basically getenv is 50/50 in getting past those filters...but the Super Global seems to have no problem with it. Here is an article about those filters: http://www.iis-resources.com/modules/wfsection/article.php?articleid=9 and there are even some notes in the php manual about it: http://us2.php.net/function.getenv
Assuming your grabbing the ip to do some user research, the idea would be to see if the ip's that each function get are different, then try to identify the one you can count on for that particular user. All my line of code says above is to make a log only if all three have values, then you could decide which are valid or not. Let's say the $_SERVER['HTTP_CLIENT_IP'] or $_SERVER['HTTP_X_FORWARDED_FOR'] were that of a network and the $_SERVER['REMOTE_ADDR'] was different, I could try to find a pattern of what the network and the user are and eliminate the extraneous data that I do not need. I use this code when I teach to see where assignments are being uploaded from as the school where I teach is on a network with the same proxy ip....
 
      Sorry for the wordy explanation:)
babyboy808Author Commented:
phew, thanks for the indepth explanation but could you explain in layman's terms please :)

i think 'HTTP_X_FORWARDED_FOR = proxy?
this HTTP_CLIENT_IP = ?????
and this is REMOTE_ADDR = get the ip?

$_SERVER['HTTP_X_FORWARDED_FOR'] = ?????
$_SERVER['HTTP_CLIENT_IP'] = ?????
$_SERVER['REMOTE_ADDR'] = ?????

thanks again
ksecorCommented:
Sure....I'm assuming you want to keep track of a user's ip, right? Let's say the in the original code, you don't want to print the ip, but you want to do something to store it...probably in a database or written to a file. Well, the idea is to get as accurate a read as possible. Let's say you have a user and you want to track what pages he accesses on your site. Well you'd think $_SERVER['REMOTE_ADDR'] would do it, right? Well, to be sure, we'll check to see that the ip shown is not that of a network ip, which is why we use $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['HTTP_CLIENT_IP'] . If the ip addresses are the same, the $_SERVER['REMOTE_ADDR'] might not be accurate as it may be that of a router or proxy which is what the $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER['HTTP_CLIENT_IP']  detect....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.