php validate an ip address (intensely)

iceomnia

Hi everyone... again!


function validateIP($ip)
{

$regexp = "([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})";

$validate = ereg($regexp, $ip);

if ($validate == true)
{
	return true;
}
else
{
	return false;
}
}

...so here's my IP address validator.

Pretty simple really, it's just it doesn't work all that well.

for example:


validateIP("192.168.1.1"); // returns TRUE

validateIP("999.999.999.999"); // ALSO returns TRUE but it's invalid

So I need to be able to determine the following:

If the IP is 4 blocks of 3 numbers between 0 and 255, of course, 0.0.0.0 is also invalid.
If the IP resolves to a hostname
Any other validations anyone can think of.

maybe we shouldn;t be using regular expresions at all??

Also, I am trying really hard to avoid using these, for sooooo many reasons:

ip2long()
long2ip()

iceomnia

So let's do the following validations:

Make sure it's in the correct for with regular expression
making sure it's 4 blocks of 1-3 numbers
Make sure it's not 0.0.0.0
Ping The IP and ensure it's valid
5 Make sure it resolves to a hostname

...This is because, anyone using an invalid IP address will not be able to access our website.

iceomnia

Whilst searching the net I found a regular expression written by LaserLight from this site.

So my function is looking like this so far:

function validateIP($ip)
{
	$valid = false;

$regexp = '/^((1?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(1?\d{1,2}|2[0-4]\d|25[0-5])$/';

if (preg_match($regexp, $ip))
{
	$valid = true;
}

return $valid;
}

iceomnia

I know it kinda seems like i'm just talking to myself here, but does anyone want to give me some ideas?

iceomnia

OK, so with the updated example:

000.000.000.000

is an invalid IP address, however:

0.0.0.0 is NOT

Why?

laserlight

0.0.0.0 is indeed a valid IP address. Actually 000.000.000.000 is also a valid IP address, since it is equivalent to 0.0.0.0. They are valid solely in the context of being IP addresses, but whether they actually identify a host is another matter.

Weedpacket

[man]ip2long[/man] returns false in the case of an invalid IP (but see Example 3 on that page).

iceomnia

I saw that, but how does it do it?

The reason I ask is everything I am writing in my native PHP, I am re-writing in c# for several reasons, firstly I want to learn that language too and secondly I have a client who requires everything done in that language.

Novacane

This should work for PHP

function validIP($ip){
    if(preg_match("^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}^", $ip))
        return true;
    else
        return false;
}

The same thing in C# would be

static bool validIP(string ip) {  

    Regex ipcheck = new Regex("^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$");
    return ipcheck.IsMatch(ip);
}

These will give you:
192.198.1.1 is Valid
0.0.0.0 is In-Valid
68.125.75.23 is Valid
000.000.000.000 is In-Valid
256.255.255.255 is In-Valid
255.255.255.255 is Valid
is In-Valid

Edit:
php's preg_match function will return a 1 if a match is found or a 0 if one isn't so you could just return the result of that instead of returning a bool since php doesn't care either way.

laserlight

php's ereg function will return a 1 if a match is found or a 0 if one isn't so you could just return the result of that instead of returning a bool since php doesn't care either way.

Read iceomnia's thread on php ereg VS preg_match.

Novacane

laserlight wrote:
Read iceomnia's thread on php ereg VS preg_match.

ooh, wasn't aware, good to know, I'll keep that in mind.
Edited my other post to reflect preg_match with correct preg pattern syntax

Weedpacket

icomnia wrote:
I saw that, but how does it do it?

One of the user notes on that page actually describes it. It's really just the "obvious" thing: treat it as a four-digit number written in base 256. There is also a link in the function's description to an IBM document on the subject.

laserlight

One of the user notes on that page actually describes it. It's really just the "obvious" thing: treat it as a four-digit number written in base 256.

Yes, but it seems that iceomnia wants more than the obvious (which the example attributed to me also does, presumably), so perhaps either Novacane's solution will be the one, or some checking of number ranges after the conversion to long.

Also, ip2long() allows partial addresses, and that may not be what is desired. It really depends on what "valid" means.

iceomnia

Yes indeed I don't want a partial IP address...

When a user logs into the site, I need to record his/her IP address on every visit, then update the DB to either add or update that IP and make a not of their userId.

This way, when I ban people, I will effectively ban every IP address they have ever used to log-in with, rather than just banning their userId.

Therefore if they once use a proxy, say from work, I will ban that too.

Also, i believe that people can make their IP invisible to web software, and therefore it will not allow such users to access the site whatsoever.

...moreover, if they try to use an IP that's invalid, for whatever reason, they will not be allowed access to the site.

Weedpacket

iceomnia wrote:
Also, i believe that people can make their IP invisible to web software,

So how does the server know where to send its response to?

Therefore if they once use a proxy, say from work, I will ban that too.

And everyone else who uses that proxy.