Handling PHP errors with $_SERVER['REMOTE_ADDR'] reliable?

Question

Is using $_SERVER['REMOTE_ADDR'] for proper automatic handling of errors reliable?

I'm thinking about using it to automatically disable the display of any PHP errors, show a general "Oops, there wen't something wrong." error to the user and log them internally instead, if the user's IP address is not found in the white list.

The white list would contain the localhost IP and any other IP adresses such as my home PC.

But if people are able to fake $_SERVER['REMOTE_ADDR'] by setting it to whatever value they want, then I don't think this would be a good idea.

Answer 1

$_SERVER['REMOTE_ADDR'] is the address taken from the three-way confirmed TCP handshake. It's pretty darn robust. To fake it you have to fake the actual underlying TCP/IP connection, which is usually a tall order.

What I would be concerned about instead is changing IPs. 127.0.0.1 is probably pretty safe, but your home IP may change eventually and somebody else may get it assigned. This may not be a large problem, or it may be. Or you may appear to have the same IP as a large number of other users, with ISPs switching to carrier grade NAT over time.

All in all, using IPs at all as an identification system is flaky. IPs are an implementation detail of a data transport mechanism, nobody has ever said anything about IPs being suitable for internet-wide identification of users. I'd at least pair it with a secret cookie that needs to be set or a regular authentication that needs to have been established.