I created a script to record visitor's IP with $_SERVER['REMOTE_ADDR'] the question is, can someone ruined the script by using "not-legitimate" IPs? it's ok if they're using a public open proxy or something, but I've never been into the world of spoofer, so I don't know if I can `create` an IP in any ways... I just wan't to know, is it possible that someone `creating` an IP, so that his IP is recorded over and over in my database? because it is different all the time? like I said, if they do enter my site using a `legitimate` IP then it's OK, although they might need to use several proxies or several ISPs... I just don't want that the IP list field in my databse shows a record like: "909090.09009.90090.90909" or "myIP" or "NULL" a simpler question: "will 'REMOTE_ADDR' always get the legitimate numeric IP adress from the viewer?" thanks in advance

"will 'REMOTE_ADDR' always get the legitimate numeric IP adress from the viewer?" No. It will get the public IP of the host making the request. "I don't know if I can `create` an IP in any ways..." Here is what IP spoofing is about: Firstly, it based on IP being a connectionless protocol. It does not keep track of addresses nor offer any reliability (other than ICMP). Secondly, it is easy to alter IP packets. With IP being moldable, you need to find a neighbor of the target's and pretend to be that neighbor (spoof the neighbor's address). This neighbor should have some network relationship to the target. Usually the same subnet or related via a network service. The infamous r* commands (like rlogin) rely on weak trust, like a neighbor having the correct IP address. It is best if the neighbor and the target have explicit configurations to one another, if you want to break in to the target system. If you are only trying to spoof an address, you only care about getting the address verified in a handshake and nothing more. Disabling the neighbor means shutting down its ability to communicate with the target host. A SYN flood is the traditional route. Once disabled, you send a spoofed SYN packet to the target (spoofed as the neighbor machine), who responds with a SYN/ACK to the real neighbor. This is dropped, but you send a ACK with a TCP sequence number (hoping it matches exactly or is greater). You usually prempt a target and try to get a handle of predicting their initial sequence numbers. Once the target accepts the sequence number, the address is successfully spoofed. This probably will not work on many subnets because it is well known and routers have been configured against this specific attack. You would do better to use many zombie machines. I would not worry too much about the IP address. Instead, use other means to validate the user when possible.

thanks for the explanation although it is still a little bit out of my head =D I think you explained it very well, thank you, but it is me who still lack of experience =D ok... if I understands correctly, someone could only `spoof` if he has access to my `neighbour`? so if my server is in a good hosting company (assumed has a good network) then it will be ok ? actually I'm asking this question because I'm setting up a script that will only allow someone to open a page once in a day - based on IP (got ideas for a better method?)... it's ok if they're reopening the page by using another IP or using a proxy, as long as it's not so easy that they can do 100 connection per 10 minutes for example... will $_SERVER['REMOTE_ADDR'] always get the legitimate numeric IP adress from the viewer? or maybe someone could access the page that will make the 'REMOTE_ADDR' value into something like: "NULL" or "hehehe"...

"as long as it's not so easy that they can do 100 connection per 10 minutes for example..." No, your method will prevent this. At most, let us say every 3 minutes, 20 times an hour, etc. "will $_SERVER['REMOTE_ADDR'] always get the legitimate numeric IP adress from the viewer?" No, we already went over that. It only gets the IP of the machine which sends the http-request. As you know, this could be a router or proxy. But as you said, this is unimportant to you. "ok... if I understands correctly, someone could only `spoof` if he has access to my `neighbour`?" I forgot to mention a very important point: what you know as IP spoofing and what I outlined above do not apply to your questions. Any packets sent by the target machine will go to the wrong address. The method above will only make a one-way connection (from attacker to the target). Why? Because the target will be sending IP packets to the wrong host. If the attacker has captured shell access, this hardly matters of course. But for what you are doing, it negates any worry. "so if my server is in a good hosting company (assumed has a good network) then it will be ok ?" Yes. A regular Linksys router/firewall in default configuration will prevent most spoofing. If you want, just create a file/sql entry serverside and if the user tries to access the page, check to see if a file/entry exists. In the file/entry, set the date. When the date is invalid, overwrite it and allow access. If you are concerned about space (in MySQL, this should be minimal and very fast with an index), write a script and query to check all the dates and delete ones which are old.

You'll have a higher success rate with the "correct" IP if you use this <?php $ip = getenv("REMOTE_ADDR"); // get the ip number of the user ?> Give that a try :)