Something's wrong with your reporting software, there. If no IP address is provided with a TCP/IP request, then your server cannot send anything back to the requester. Therefore, "registration" would be quite impossible.

In fact, they wouldn't even be able to view your site or any other -- They could not receive anything from the servers. The HTTP protocol cannot work if no IP address is provided at the TCP/IP level.

Jim

Thanks for the reply, Jim.

I thought it was really strange, too. I don't know if it makes any difference but I assume they're using a bot to send requests to my registration script rather than actually visiting my website through a browser.

I added some PHP code to collect their IP address and then I banned all users who don't have an IP which essentially are just the few spammer registrations.

But now they started signing up with IP addresses so I added functionality to allow me to ban the IP addresses they're using.

Anyway, whether they do or dont have an IP I should be able to control their access now. Still, it is kind of wierd that the script wasn't capturing their IP. Here's the script:

function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}

Thanks again.

[edited by: jatar_k at 4:06 pm (utc) on Dec. 17, 2008]
[edit reason] added code [/edit]

It seems they are actually still signing up without an IP address. It's going to be a real pain if I have to ban their multiple usernames every single day manually.

Is the script I found missing something or are they masking their IP somehow?

I also don't understand how they're able to register since I have additional code that doesn't add new users to the database unless they have an ip address. In fact, I also have an include in all of my pages that doesn't even allow access to my site if no IP is detected.

Do you think they're bypassing my registration script and somehow sending a query directly to my database?

Perhaps you should fix your code. Return the IP from the $_SERVER['REMOTE_ADDR'] only. Also check the $_SERVER['HTTP_CLIENT_IP'], HTTP_X... etc for addresses but if one of these parameters is set, it means a proxy and so you should block the page access. There is no point allowing accesses to customers or even bots behind known proxies. Something like that could hurt your site in many different ways.

And avoid using permanent bans to ips.

PS: The bug in your code, is that someone could setup the HTTP_CLIENT_IP or HTTP_X... header vars on purpose (which some space chars) in which case your code returns an invalid IP.

Yes REMOTE_ADDR is the correct variable, and trying to use HTTP_CLIENT_IP is the likely cause of the failures to detect an IP address; As I said, "Something's wrong with your reporting software, there."

Again, it is impossible to use HTTP if a sending client doesn't send a valid and correct IP address in outgoing TCP/IP packets because as a result, server replies cannot be routed back to the sender. The IP address is added by the sender's TCP/IP stack, and any packet with an invalid or incorrect sender IP address cannot be replied-to. The TCP/IP protocol is the lower-level protocol upon which HTTP connections depend, and HTTP cannot work if improper TCP/IP packets are received.

Jim

Thanks for the tips, guys. I reduced my code to the following:

$ip=$_SERVER['REMOTE_ADDR'];
if(!$ip) { 
die("Your access to our website has been disabled.");
}

Yet still they are able to register. I'm inserting their ip address into my database at the time of registration and sometimes their spam signups show an IP and sometimes it doesnt which is hard to believe considering the code above should be preventing them from even viewing my website.

Any other ideas? Thanks again for your help.

if(!isset($_SERVER['REMOTE_ADDR']) ¦¦ !trim($_SERVER['REMOTE_ADDR'])) {
die("Your access to our website has been disabled.");
}

you'd need to replace the broken ¦ with the pipe character.