PHP: how to check if the client is local?

I need to check if a file is opened “locally” (same machine or network). I’m using:

if ((substr($_SERVER['REMOTE_ADDR'],0,8) == "192.168.") || ($_SERVER['REMOTE_ADDR'] == "")) {
    // client is local
} else {
    // client is not local

But I’m not sure this is the best way.

What is a more foolproof way of doing this?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

What Friek said is true, but provided that you know how to get the real client’s IP, you can tell if it’s a local address using PHP filters:

    // is a local ip address

Solution 2

“Foolproof,” as always, can be tricky.

If we do restrict ourselves to IPv4, then checking for “” takes care of the localhost case, but checking against “192.168.” is plain wrong – it will only work if the script is being run on a server which happens to be on the 192.168 network, using a 16-bit subnet mask.

Checking $_SERVER[‘REMOTE_ADDR’] against $_SERVER[‘SERVER_ADDR’] would be a better bet. This still doesn’t take care of the case of a multi-homed host (ie one which has several IP addresses in addition to, though.

In order to catch all same-network cases, you’d need to check the combination of SERVER_ADDR and subnet mask against REMOTE_ADDR, but the subnet mask isn’t available in $_SERVER.

BUT I found a function which does pretty much what you want here. It’s a couple of screens down and it’s called clientInSameSubnet. Not my code, but looks right.

Solution 3

In case anyone has trouble finding the above code, suggested by @Uffe, I’ve included it below:

* Check if a client IP is in our Server subnet
* @param string $client_ip
* @param string $server_ip
* @return boolean
function clientInSameSubnet($client_ip=false,$server_ip=false) {
    if (!$client_ip)
        $client_ip = $_SERVER['REMOTE_ADDR'];
    if (!$server_ip)
        $server_ip = $_SERVER['SERVER_ADDR'];

    // Extract broadcast and netmask from ifconfig
    if (!($p = popen("ifconfig","r"))) return false;
    $out = "";
        $out .= fread($p,1024);

    // This is to avoid wrapping.
    $match  = "/^.*".$server_ip;
    $match .= ".*Bcast:(\d{1,3}\.\d{1,3}i\.\d{1,3}\.\d{1,3}).*";
    $match .= "Mask:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/im";
    if (!preg_match($match,$out,$regs))
        return false;

    $bcast = ip2long($regs[1]);
    $smask = ip2long($regs[2]);
    $ipadr = ip2long($client_ip);
    $nmask = $bcast & $smask;

    return (($ipadr & $smask) == ($nmask & $smask));

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply