are client IPs always returned as xxx.xxx.xxx.xxx? - PHPBuilder Forums

are client IPs always returned as xxx.xxx.xxx.xxx?

sneakyimp

I am not super clear on the various ways an IP address can be specified. I've seen spam mails come in with numeric ip addresses and no decimal points. I just want to know if the PHP environment vars pertaining to client IPs (such as $_SERVER['REMOTE_ADDR']) always return ip in the traditional xxx.xxx.xxx.xxx format or whether other types of ip representation might appear.

dalecosp

I'm not sure exactly what you are asking. Internet Protocol (IP), represents address space in a quartet of eight-bit numbers (as long as we're talking decimal). If you've "seen spam come in with numeric addresses and no decimal points", you weren't seeing an "IP address".

Unless your system is ipv6 aware, and PHP has been compiled with --enable-ipv6, I would not expect anything but a dotted quad IP address, or a FALSE, from $_SERVER['REMOTE_ADDRESS'] ... but keep in mind, this isn't guaranteed to be reliable, or even present, in all cases.

sneakyimp

thanks for your concise reponse, dale. i checked the output from phpinfo() and there's no compile option referring to ipv6 so i think i'm safe. i'm not sure at all if my 'system is ipv6 aware'. do you mean the os, the server, the php module, or what here?

my question was basically about the IP information i find in the superglobal environment/server vars about the address from which the client request comes. will this address always consist of 4 numbers between 0 and 255 delimited by 3 periods? my plan is to explode() the IP for comparison of the first 3 numbers.

as for the information not always being available, i think i can live with that. i'm working on some session handling code and since the information is usually there, i have no problem dropping sessions for clients that don't have the information.

i have been using phpBB's session handling as my guide. When a client presents a session id to try to resume an existing session, their session handling code checks the current client IP against the IP address used when a session was created. if the first 3 quadrants of the ip address match, the client is allowed to continue the existing session. Apparently ipv4 can result in different IPs for a single session but this rarely results in a change in any of the first 3 quadrants. if one of the first 3 differs, the code assumes this is a different user (who might be trying to hijack a session) and a access to the existing session is denied. A new empty session is created instead.

Megahertza

As far as i know, Windows Vista is Ipv6 aware and you can make Windows Xp Ipv6 aware aswell. But i have not seen anything sent to or by a xxx.xxx.xxx.xxx.xxx.xxx address. It is most likly that light fittings and fridges will be using ipv6 first.

Weedpacket

An IPv6 address is usually rendered as something like "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210" - eight bunches of up to four hex digits (128 bits, as opposed to the 32 of IPv4 - of course, there is still plenty of partitioning of the address space, so most of them you'll never see. Unless your LAN has a few billion networked appliances....)