[nycphp-talk] best practice for detecting ip

Rob Marscher rmarscher at
Tue Mar 18 16:16:47 EDT 2008

Hey everyone,

Does someone know the best practice for detecting ip addresses with  
php/apache for use in reporting/metrics?

I'm re-evaluating our code for detecting ips and I see it's built  
towards getting a unique browser ip without regard for how easily it  
can be spoofed.  For example, we're using X-FORWARDED-FOR which I know  
can be very easily spoofed by proxy servers so it should only be done  
with trusted proxies like AOL.  Does anyone know where to find a good  
list of ips of trusted proxies (as well as maybe a list of known  
anonymous proxy servers)?

Also, is there any reason to use HTTP_CLIENT_IP?  The current code we  
have looks to use that first if it's available.  But I'm not exactly  
sure the difference between that header and REMOTE_ADDR.

Thanks a lot,

More information about the talk mailing list