What the cURL sends to the request's address? The PHP script is hosted on a dedicated server. When I'm accessing the script, is it sending my IP address or the server's one with a referer? I was always wondering this.
Since the PHP server is making the request, it is sending its own IP address.
Related
Say in a PHP script you made a cURL request to a secondary service/API. At any point would this address be displayed to the client? My understanding is that it would not as PHP scripts are entirely server sided.
Could someone please provide clarity?
Only if you include something like POST data, GET data, or manually specify a header with the IP address in it. You're correct in that the request will originate from the server as PHP is 100% server-side.
I serve my PHP script with port forwarding(i use mamp) other users can view website but php don't return true client ip, it always return my server ip. I can't find my vpn ip in $_SERVER array what is problem? thanks.
To obtain ip address of clients from the server use $_SERVER['REMOTE_ADDR'].
And to do it on client side using javascript and ajax for retrieving and sending ip address. see this link http://jsonip.com/
I would try to explain in diagrams
[REST SERVER] <--------> [JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.2 192.168.0.3 192.168.0.123
How can I get the IP of the website that consumes the REST server instead of the USER's IP.
I tried using $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_REFERRER'] but they both return the IP of the user.
Is it possible in the web? I'm using PHP for my REST server.
I'll assume here that you mean the website is hosted on 192.168.0.3. This means the user will be downloading the Javascript and HTML data from said server, and then execute it locally on 192.168.0.123. That Javascript is then going to make remote calls to the REST service from that local IP.
You want to know how to get the IP of the server that hosted the Javascript/HTML files before the client downloaded them, presumably in a reliable fashion. And the answer is that this is not possible. Because your actual schema looks like this:
[JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.3 192.168.0.123
^
|
[REST SERVER] <--------------------------+
192.168.0.2
You cannot do this securely. You will have to make the javascript pass this to the server. And since javascript is run client side, this can be spoofed.
And even then, javascript does not have native functions to get you the IP address of the website. It can give you the domain name though. And then in, for example, PHP you can resolve this domain name to an IP address. Or have the javascript based web server give its IP address directly along. For example with the help of PHP, you can do in javascript: var myIP = '<?php echo $_SERVER['SERVER_ADDR']; ?>';
As a sidenote, the Origin header (can be spoofed) is ment for this purpose but a secure workaround would be some kind of handshake between JS server and REST server.
Javascript based webpage requests a token code via serverside, you put this token code into the javascript and send it to the rest server.
The rest server verifies the token code and then you know for sure where the javascript resides.
This is the only method of verifying the origin, it is not possible via plain IP addresses.
i want to check login information for remote website. i can do it with curl, but curl uses server's ip (i dont want my script to use server's ip, i want script to use client's ip).
for example: client will use my form (username and password) and my php script will check out his account details are correct or not. script will control that his account credentials are true or not.
i can not use curl (server ip),file get contents (server ip), jquery+json+ajax(cross domain problem).
any advice?
It is impossible for you to not use the server's IP address if the server is making the request. You are correct that the ajax solution won't work for xss reasons.
You could open the remote page in a hidden iframe, and control that iframe with jquery.
My hosting provider doesn't allow access to external SMTP mail servers. The problem is that some emails don't get sent using the internal server.
What are the dangers in posting data to a remote server to send emails?
You can post it by HTTPS if your provider does listen to your posted data.
If you are sure that nobody in your server's network catch your outgoing data, you can post it with normal http to your mail server (just simple php script) which then sends mail
I guess you what you mean is that you tried to use curl to send mails via remote servers and your host won't grant you usage of curl.
There is no inherent danger in sending mails but curl will give you a very powerful networking-tool and I guess that is what your host is not keen on handing over to his clients.