What are the best practices for handling IP address masking or proxy usage in PHP scripts to prevent security vulnerabilities?

When handling IP address masking or proxy usage in PHP scripts, it is important to validate and sanitize user input to prevent potential security vulnerabilities such as IP spoofing or injection attacks. One common practice is to use the $_SERVER['REMOTE_ADDR'] variable to retrieve the user's IP address and compare it against a list of trusted proxy servers if your application is behind a proxy. Additionally, you can use PHP functions like filter_var() with the FILTER_VALIDATE_IP filter to validate IP addresses before processing them in your script.

// Validate and sanitize user IP address
$user_ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP);

// Check if the user is behind a trusted proxy server
$trusted_proxies = ['proxy1.example.com', 'proxy2.example.com'];
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && in_array($_SERVER['REMOTE_ADDR'], $trusted_proxies)) {
    $user_ip = filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP);
}

// Use the sanitized user IP address in your script
echo "User IP address: " . $user_ip;