5 Ways to Validate an IP Address in PHP

Validating IP addresses in PHP is a common task for ensuring application security and data quality. Here, you'll find five distinct methods for IP validation, complete with working code snippets. We also examine the pitfalls of these traditional approaches and show how Abstract API effectively solves these issues.

How to Implement IP Address Validation in PHP

This section details four different methods to validate IP addresses in PHP. Each approach has a specific use case, from simple checks to more complex pattern matching for custom policies.

Validation with `filter_var` and `FILTER_VALIDATE_IP`

PHP’s `filter_var` extension provides a reliable way to check IP addresses. It uses the same library as the core system for network functions, which ensures consistent handling of IPv4 and IPv6 addresses.

To perform the validation, you pass the "FILTER_VALIDATE_IP" flag to the function. You can also use a bitmask to scope the check for specific IP versions.

For example, the "FILTER_FLAG_IPV4" flag restricts validation to IPv4 addresses only. For IPv6, you can use a combination of flags like "FILTER_FLAG_IPV6" and "FILTER_FLAG_NO_RES_RANGE".

Flags like "FILTER_FLAG_NO_PRIV_RANGE" and "FILTER_FLAG_NO_RES_RANGE" let you block private and reserved address ranges. More details are available on the PHP manual page. These IPv6 tips offer further insight.

function isIp(string $ip, int $flags = 0): bool
{
    return filter_var($ip, FILTER_VALIDATE_IP, $flags) !== false;
}

Validation with `inet_pton` and `inet_ntop`

The `inet_pton()` function converts a human-readable IP address into its packed, in-addr.arpa format. It returns `false` if the input string is not a valid IPv4 or IPv6 address.

This makes the validation process straightforward. It also avoids extra memory allocation because no string manipulation happens if the parsing fails.

The function is dual-stack aware, so you do not need separate code paths for IPv4 and IPv6. The resulting binary data can be stored or later re-expanded with `inet_ntop()`. This is one of several ways to validate an IP.

function isIpBinary(string $ip): bool
{
    return inet_pton($ip) !== false;
}

Round-Trip Validation with `ip2long` and `long2ip`

This method works only for IPv4 addresses. The `ip2long()` function can tolerate non-standard syntaxes, such as "0x7f.1" or "0177.1", which can lead to incorrect validations if used alone.

To ensure accuracy, you must perform a round-trip check. First, convert the IP to an integer with `ip2long()`, then convert it back to a dotted-quad string with `long2ip()` and compare it to the original input.

This process is faster than regular expression matching and effectively catches alternate notations. You should only use this method when you explicitly need to disallow IPv6 addresses, as detailed in these validation methods.

function isIpv4Strict(string $ip): bool
{
    $long = ip2long($ip);
    return $long !== false && long2ip($long) === $ip;
}

Regex Validation with `preg_match`

Regular expressions are useful when you need to enforce a policy that built-in functions do not support. For example, you might want to forbid the use of "0" in any octet.

To do this, you write a finite, anchored expression and test the IP address against it with `preg_match`.

For IPv6, it is best to generate the pattern with an algorithm or use a library. Hand-crafting a full IPv6 regex is complex and prone to errors, as noted by Sling Academy.

const IPV4_STRICT =
    '/^(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)'
    . '(\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)){3}$/';

function isIpv4Regex(string $ip): bool
{
    return (bool)preg_match(IPV4_STRICT, $ip);
}

Challenges of IP Address Validation in PHP

While these PHP functions offer validation capabilities, they come with significant drawbacks. These issues can compromise security and create unreliable outcomes, which makes robust IP validation a complex task.

• The behavior of `filter_var` with `FILTER_VALIDATE_IP` changes between PHP versions. A previously valid IP might fail validation after a minor update, which creates unpredictable results and makes the function's output hard to trust across different environments.
• Attackers exploit alternate notations like octal or hexadecimal. These can bypass weak `preg_match` patterns or incorrect `filter_var` flags. The IP resolves differently at the socket layer, which subverts security logic like allow or deny lists.
• The dual-stack reality of IPv4 and IPv6 complicates validation. Methods like `ip2long` only support IPv4, while comprehensive `preg_match` patterns for all IPv6 formats are complex to create and maintain, which leaves edge cases unvalidated.
• Validation functions like `filter_var` and transport libraries can parse IPs differently. This divergence produces false positives or negatives. Attackers exploit these inconsistencies to bypass access controls or execute server-side request forgery attacks.