is it necessary to validate $_SERVER['REMOTE_ADDR']?

assuming that php is running in web mode via cgi / mod_php / etc...

is it safe to assume tha开发者_运维知识库t $_SERVER['REMOTE_ADDR'] will exist, and further more, that it will contain a correctly stylized (sorry, terminology may be off here...) ip (1.1.1.1 -> 255.255.255.255?)?

this is not a question regarding weather the ip contained inside $_SERVER['REMOTE_ADDR'] will be a the true ip of the client making the request, as i do understand this can be 'spoofed' by modifying the outbound tcp packets...

just simply:

a) will $_SERVER['REMOTE_ADDR'] always exist if php is ran in web mode. b) if $_SERVER['REMOTE_ADDR'] does always exist, will it always contain a properly syntaxed ip?

thanks.

---

Yes, it is always present in web mode, and since the IP address is converted from its binary representation to the textual format you're seeing, it is always valid – there is no way to specify an invalid IP in the IP header.

One more thing: Don't assume any special format unless you absolutely must deal with IP addresses. For example, IPv6 addresses are longer and contain different characters. Basically, deal with IP addresses as an opaque string.