Can we spoof $_SERVER['REMOTE_ADDR'] / user ip with php cURL?

php curl ip ip-address
21,362

No. $_SERVER['REMOTE_ADDR'] is the actual physical IP address the client used to connect to the webserver, as confirmed by a three-way TCP handshake. There's no way to fake this by setting simple HTTP headers. You also cannot make the webserver/PHP overwrite this value with something else in any way. $_SERVER['REMOTE_ADDR'] is set from TCP connection information, period.

To actually spoof an IP address, you have to go much deeper into the actual network layer and have some level of control over network equipment/man in the middle positions/proxies/whatnot to actually be able to establish a TCP connection from an IP address other than the one you're establishing it from.

Is there a way for countering the method OR Is there a way to get the ACTUAL REAL IP of a user?

No. "The actual IP address of the user" is the address your webserver received the connection from, period. There is no other address for you. The client connects to your server from a certain IP, this is confirmed with a three-way TCP handshake, that's the only address you know for this client. This client may be a proxy or a NAT router (i.e. a proxy) or something else, you simply do not know and neither should it make any difference to you.

Share:
21,362
Jo E.
Author by

Jo E.

Updated on July 09, 2022

Comments

  • Jo E.
    Jo E. almost 2 years

    Well the title basically says it.

    But for more info . .

    This method works but . .

    $ip = '1.1.1.1';
curl_setopt($handle, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "X_FORWARDED_FOR: $ip"));

    It only adds these two keys on the $_SERVER array

    • HTTP_REMOTE_ADDR
    • HTTP_X_FORWARDED_FOR

    The key REMOTE_ADDR still remains the same.

    Can REMOTE_ADDR be changed? The answer here says NO. But a comment also says It may, however, NOT be the user's real IP address because it may be hidden by proxies and other methods. That is why the general rule is to not depend on $_SERVER['REMOTE_ADDR'] for a security feature.

    With all that aside is there a curl php method to also hide/mask/change the ip? (any other php method aside from the above code would do.)

    AND

    Is there a way for countering the method OR Is there a way to get the ACTUAL REAL IP of a user?

    Cheers!

  • Jo E.
    Jo E. over 10 years
    I feel that it is wrong if I don't trust your answer. Thank you!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PHP | Get private IP address from a client user?
Force IPv4 in cURL in PHP application
PHP display server IP Address
select outgoing ip for curl request
How to convert curl xml response into array in php?
PHP cURL error: Could not resolve proxy
Upload video on Youtube using curl and api v3
PHP CURL - Empty output with no error
cURL/PHP Request Executes 50% of the Time
Activation Curl on EasyPHP