Fixed issue: Participant IP address not correctly captured if server …

…is behind proxy
LimeSurvey · Apr 14, 2012 · 00c352b · 00c352b
1 parent 3dc5adb
commit 00c352b
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 10 deletions.
diff --git a/admin/dataentry.php b/admin/dataentry.php
@@ -351,7 +351,7 @@
 				"identifier"=>$saver['identifier'],
 				"access_code"=>$password,
 				"email"=>$saver['email'],
-				"ip"=>$_SERVER['REMOTE_ADDR'],
+				"ip"=>getIPAddress(),
 				"refurl"=>getenv("HTTP_REFERER"),
 				'saved_thisstep' => 0,
 				"status"=>"S",

diff --git a/admin/login_check.php b/admin/login_check.php
@@ -183,7 +183,7 @@
 
 
         //include("database.php");
-        $sIp = $_SERVER['REMOTE_ADDR'];
+        $sIp = getIPAddress();
         $query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
         $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
         $result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());

diff --git a/admin/usercontrol.php b/admin/usercontrol.php
@@ -100,7 +100,7 @@
         {
             include("database.php");
 
-            $sIp=   $_SERVER['REMOTE_ADDR'];
+            $sIp = getIPAddress();
             $query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
             $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
             $result = $connect->query($query);

diff --git a/classes/expressions/LimeExpressionManager.php b/classes/expressions/LimeExpressionManager.php
@@ -3236,7 +3236,7 @@ private function _UpdateValuesInDatabase($updatedValues, $finished=false,$setSub
                 $today = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $this->surveyOptions['timeadjust']);
                 $sdata = array(
                 "datestamp"=>$today,
-                "ipaddr"=>(($this->surveyOptions['ipaddr'] && isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ''),
+                "ipaddr"=>(($this->surveyOptions['ipaddr']) ? getIPAddress() : ''),
                 "startlanguage"=>$this->surveyOptions['startlanguage'],
                 "token"=>($this->surveyOptions['token']),
                 "datestamp"=>($this->surveyOptions['datestamp'] ? $_SESSION['datestamp'] : NULL),
@@ -3295,8 +3295,8 @@ private function _UpdateValuesInDatabase($updatedValues, $finished=false,$setSub
                 if ($this->surveyOptions['datestamp'] && isset($_SESSION['datestamp'])) {
                     $setter[] = db_quote_id('datestamp') . "=" . db_quoteall($_SESSION['datestamp']);
                 }
-                if ($this->surveyOptions['ipaddr'] && isset($_SERVER['REMOTE_ADDR'])) {
-                    $setter[] = db_quote_id('ipaddr') . "=" . db_quoteall($_SERVER['REMOTE_ADDR']);
+                if ($this->surveyOptions['ipaddr']) {
+                    $setter[] = db_quote_id('ipaddr') . "=" . db_quoteall(getIPAddress());
                 }
                 if ($finished) {
                     $setter[] = db_quote_id('submitdate') . "=" . db_quoteall($_SESSION['datestamp']);

diff --git a/common_functions.php b/common_functions.php
@@ -7247,7 +7247,7 @@ function fixSubquestions()
 /**
  * Need custom version of JSON encode to avoid having Expression Manager mangle it
  * @param type $val
- * @return type 
+ * @return type
  */
 function ls_json_encode($val)
 {
@@ -7256,4 +7256,26 @@ function ls_json_encode($val)
     return $ans;
 }
 
+/**
+* This function returns the real IP address under all configurations
+*
+*/
+function getIPAddress()
+{
+    $ip='';
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    elseif (!empty($_SERVER['REMOTE_ADDR']))
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+
 // Closing PHP tag intentionally omitted - yes, it is okay
diff --git a/qanda.php b/qanda.php
@@ -4045,7 +4045,7 @@ function do_shortfreetext($ia)
         }
         else{
             if ((int)($qidattributes['location_nodefaultfromip'])==0)
-                $currentLatLong = getLatLongFromIp($_SERVER['REMOTE_ADDR']);
+                $currentLatLong = getLatLongFromIp(getIPAddress());
             if (!isset($currentLatLong) || $currentLatLong==false){
                 $floatLat = 0;
                 $floatLng = 0;

diff --git a/save.php b/save.php
@@ -122,7 +122,7 @@ function savedcontrol()
         {
             $today = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust);
             $sdata = array("datestamp"=>$today,
-			"ipaddr"=>$_SERVER['REMOTE_ADDR'],
+			"ipaddr"=>getIPAddress(),
 			"startlanguage"=>$_SESSION['s_lang'],
 			"refurl"=>getenv("HTTP_REFERER"));
             //One of the strengths of ADOdb's AutoExecute() is that only valid field names for $table are updated
@@ -143,7 +143,7 @@ function savedcontrol()
 		"identifier"=>$_POST['savename'], // Binding does escape , so no quoting/escaping necessary
 		"access_code"=>md5($_POST['savepass']),
 		"email"=>$_POST['saveemail'],
-		"ip"=>$_SERVER['REMOTE_ADDR'],
+		"ip"=>getIPAddress(),
 		"refurl"=>getenv("HTTP_REFERER"),
 		"saved_thisstep"=>$thisstep,
 		"status"=>"S",