Safety using $_SERVER variables

I'm working on a system that relies in $_SERVER['REMOTE_ADDR'] to get the user address and check it against a white lis开发者_运维问答t of addresses. Is this approach safe? Or is there a way of forcing values in superglobal variables?

Thank you, Diogo

The value itself should be safe from outside injection - it is served by the web server - , but the client IP can be spoofed.

Related good reading: What is the most accurate way to retrieve a user’s correct IP address in PHP?

The approach is safe.

The entries in this array are created by the web server.

The value in $_SERVER['REMOTE_ADDR'] is set by Apache (or whatever web server you're using), not by the user. So unless the user has access to the system itself (and not just web access), then you shouldn't have to worry about the user modifying it. You might, however, need to worry about addresses of proxies if you need to whitelist a user behind one.

There is nothing the user can do to "force a value into this superglobal".

I am not sure if other PHP code could do that, but that should be under your control.

Also, if there are proxies between you and the user, you should check if the REMOTE_ADDR is set correctly. I would think that if you use Apache (and well-behaved proxies), that case would be handled properly.