This snippet has a security issue. By setting the Client-IP or X-Forwarded-For header, anyone can pretend to be anyone else.
Various serious PHP and Python frameworks solved this problem by requiring the admin to configure a list of known and trusted proxies, and the header that they set. If REMOTE_IP comes from one of those proxies, then HTTP_X_FORWARDED_FOR should be inspected, and override the previous result.
Or better, you can just use $_SERVER['REMOTE_IP'] and tell the admin to set up mod_remoteip on his Apache if the said Apache is behind a reverse proxy.
You can use [html][/html], [css][/css], [php][/php] and more to embed the code. Urls are automatically hyperlinked. Line breaks and paragraphs are automatically generated.
2 Responses
Various serious PHP and Python frameworks solved this problem by requiring the admin to configure a list of known and trusted proxies, and the header that they set. If REMOTE_IP comes from one of those proxies, then HTTP_X_FORWARDED_FOR should be inspected, and override the previous result.
Or better, you can just use $_SERVER['REMOTE_IP'] and tell the admin to set up mod_remoteip on his Apache if the said Apache is behind a reverse proxy.
Write a comment
You can use [html][/html], [css][/css], [php][/php] and more to embed the code. Urls are automatically hyperlinked. Line breaks and paragraphs are automatically generated.