SteveWh - 8:28 pm on Mar 12, 2008 (gmt 0)

I want to show visitors what their IP is. I think this code should do it:

if(isset($_SERVER['REMOTE_ADDR']) && strlen($_SERVER['REMOTE_ADDR']) > 0)
echo $_SERVER['REMOTE_ADDR'];
else
echo 'Unknown.';

register_globals is Off.

Can I trust that $_SERVER['REMOTE_ADDR'] will always be either a valid value set by the server, or blank?

I want to be sure it's impossible for a user to inject a value through the query string (or any other way) that would cause something other than the real IP to be displayed on the page.

Do I need to use anything like htmlspecialchars() or strip_tags()?

I know this won't detect proxies, but I don't want to deal with anything like HTTP_X_FORWARDED_FOR, which apparently can be easily spoofed.

I'll be satisfied with $_SERVER['REMOTE_ADDR'] as long as I know it might be right or wrong, but never maliciously spoofed.

----

Can I assume that all the various $_SERVER[] variables are always safe to use, and can't be manipulated from the outside?