Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?

by

Yes, it’s safe. It is the source IP of the TCP connection and can’t be substituted by changing an HTTP header.

One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.

More Related Contents:

  1. How Secure Is This Login System? (Using Cookies In PHP)
  2. How can I sanitize user input with PHP?
  3. How to get the client IP address in PHP
  4. What are the best practices for avoiding xss attacks in a PHP site [closed]
  5. When should I use prepared statements?
  6. “Keep Me Logged In” – the best approach
  7. Get the client IP address using PHP [duplicate]
  8. Full Secure Image Upload Script
  9. How safe are PHP session variables?
  10. Generating a random password in php
  11. What does it mean to escape a string?
  12. PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?
  13. Preventing session hijacking
  14. Why is using a mysql prepared statement more secure than using the common escape functions?
  15. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  16. how safe are PDO prepared statements
  17. How to get rid of eval-base64_decode like PHP virus files?
  18. How to sanitze user input in PHP before mailing?
  19. How can I relax PHP’s open_basedir restriction?
  20. How to run PHP exec() as root?
  21. Hiding true database object ID in url’s
  22. CodeIgniter – why use xss_clean
  23. How to enable DDoS protection?
  24. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  25. Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
  26. Codeigniter CSRF – how does it work
  27. How to protect my source code when deployed?
  28. Does PHP’s $_REQUEST method have a security problem?
  29. Improve password hashing with a random salt
  30. Why is it considered bad practice to use “global” reference inside functions? [duplicate]

Leave a Comment