I spend a lot of time lurking in the #PHP channel (efnet and freenode, please - no flamewars) and this topic is a commonly asked one that usually gets a simplified answer in the form of using strpos(), or at best an ip2long() in a greater than and less than answer.

Unfortunately although people usually understand that an IP address is simply an unsigned 32 bit integer, and is easily determined, usually with $_SERVER['REMOTE_ADDR'], where the real challenge is - is in specifying the range within which they wish to check that IP address.  IP ranges are usually specified in three common ways (in increasing complexity):

1. Wildcard: 192.168.10.*
2. Start-End range: 10.1.0.0-10.1.255.255
3. CIDR*: 172.16.1.0/24

* Classless Inter-Domain Routing

The Wildcard method, or "classy", allows you to work at Class A (10.*.*.*), Class B (172.16.*.*) or Class C (192.168.10.*) levels of granularity which is how we used to do things in the old days (before the Web decided to make the Internet popular).  But, increasingly, this just isn't granular enough for practical purposes.

Thus was born CIDR (yes, I'm skipping talking about Start-End ranges for now).  CIDR brought about the concept that we really didn't need to break networks on 8, 16, 24 bit boundaries and we could be more granular by allowing the use of any number (from 2-30) to specify a range of networks.  Details on why you can't use "31" is beyond the scope of this article.

CIDR renamed the former Class A, B and C networks as /8, /16 and /24 respectively and reflects the left-most significant bits of the 32-bit IP address.  Thus was born the ability to specify very specific IP ranges in the form a.b.c.d/xx.   However, part of the problem with this is that although it concisely describes the network start and end, most normal mortal humans couldn't decipher it. CIDR addressing can also be specified in the form of a longer netmask, e.g. a.b.c.d/255.255.255.224

Thus, the simplified form of Start IP - End IP was put in place for mere mortals and is typically used by those without a networking background.  It also features heavily in consumer broadband routers and notably in Microsoft Windows DHCP server.

So having explained how a range, and by inference, that a netmask is, how can we use this knowledge to help us in determining if an IP is within a range?

What this article will attempt to do is guide you though the construction of algorithms to make the checking of IPs simpler.

Logically, Method 1 (the Wildcard), can be easily converted to Method 2 (Start-End range) by using setting Start and End to the Wildcard string and replacing the "*" character with 0 for the Start and 255 for the End, thus for example, "192.168.10.*" becomes "192.168.10.0-192.168.10.255" which should (I hope) be obvious to everyone.

We can then proceed to evaluate both Method1 and Method2 in the same way.  In this we're simply going to use the PHP built in function ip2long() on all 3 values and perform a mathematical check for Start <= IP <= End.

      list($lower, $upper) = explode('-', $range, 2);
      $lower_dec = ip2long($lower);
      $upper_dec = ip2long($upper);
      $ip_dec = ip2long($ip);
      return ( ($ip_dec>=$lower_dec) && ($ip_dec<=$upper_dec) );

Next we have the challenge of handing the CIDR netmasks. What we could do is to take a CIDR format IPaddress/netmask and calculate the Start and End IPs of that block and proceed as before - but that would be no fun - and would mean I haven't really taught anything through this article. 

The method we're going to use here is how all the world's Internet routers determine if a destination IP is in a specific CIDR address space. And we're going to get down and dirty with bitmasks and logical bitwise operators.

So using a real world example, my webserver IP 80.76.201.37 and the netblock within which it resides is 80.76.201.32/27, how does this all work?

Well the /27 indicates that the first 27 bits of the IP address are the same network and IP address in that network (range) will have those same identical first 27 bits.  Bits 28-32 are variable and allow 5 bits of variation.  If you know your binary, then this means 32 possible IPs. (However with routing, you can't use the bottom and top IP from any range as these are special and mean the network and broadcast addresses respectively. [This is also why a /31 isn't any use as you can't use the 2 addresses that space gives you]).

So thinking logically, bitwise, if I take my IP address and the CIDR spec, then all I have to do is check that the first 27 bits all match and I'm good. Correct.  So how would be do this in PHP? Sound's simple, lets just use PHP's bitwise logical AND operator:&
Again, correct. 

In order to do this we need to convert 27 into what 27 really means - a 32 bit number of 27 ones and 5 zeros in binary, or 224 in decimal.

In pseudo-code you could then do if (IP & BITMASK) == (RANGE & BITMASK) then all is good and you know that the IP is within the range.

But thats the easy way, and we don't want to make it that easy, do we? No, so how do the routers do it? The alternative method is to take range and the netmask and create a new value by setting all the variable bits to 1.
Visualising this using our real IP address (using the very handy unix tool ipcalc):

Address:   80.76.201.37         01010000.01001100.11001001.001 00101
Netmask:   255.255.255.224 = 27 11111111.11111111.11111111.111 00000
Wildcard:  0.0.0.31             00000000.00000000.00000000.000 11111
=>
Network:   80.76.201.32/27      01010000.01001100.11001001.001 00000
HostMin:   80.76.201.33         01010000.01001100.11001001.001 00001
HostMax:   80.76.201.62         01010000.01001100.11001001.001 11110
Broadcast: 80.76.201.63         01010000.01001100.11001001.001 11111
Hosts/Net: 30

You can see this in the Wildcard line of 0.0.0.31, and the Network ORed with Wildcard results in the Broadcast address: 80.76.201.63.

Knowing this, then the IP address ANDed with the Broadcast address will result in the same IP address and so can be used as a comparison for an IP residing within that broadcast range.

How can we work out this Broadcast address in PHP, again we have two strategies, one is to so a simple substr() and take the left most significant bits of the range and then simply pad out to the right with 1s.  Or we can do some math with "2 to the power of (32-range) - 1". Thus for our value /27 this gives us the decimal value 31.   OR this value with our range and we get our Broadcast address.

I'm sure by now, your screaming for some code (and if you stuck around this long, you really deserve it).

Code to manipulate a range/netmask into a broadcast address, using math, assuming:

$ip = "80.76.201.37";
$range = "80.76.201.32";
$netmask = 27;

We can converts the IPs to long integers using ip2long (denoted by variable_dec - dec being short for decimal):

$range_dec = ip2long($range);
$ip_dec = ip2long($ip);

This gives us the basis of our math, we now just need to work out the broadcast address.

Strategy 1 using substr and padding with 1s.  To do this we need a little helper function I have called decbin32().  This function simply ensures decbin() gives us back a zero padded 32 character string representing our 32 bit number.

Function decbin32 ($dec) {
  return str_pad(decbin($dec), 32, '0', STR_PAD_LEFT);
}
    $broadcast_dec = bindec(substr(decbin32($range_dec), 0, $netmask) 

                        . str_pad('', 32-$netmask, '1'));

We can achieve the same result though mathematics and ORing with the $range_dec value. This is our Strategy 2:

$wildcard_dec = pow(2, (32-$netmask)) - 1;
$broadcast_dec = $range_dec | $wildcard_dec;

Once we know the broadcast address (in decimal) as we have here, we can know that, if by ANDing this with the original IP to check results in the same IP, then the IP is within the range defined by the range/mask.

This can be checked easily with:

return (($ip_dec & $broadcast_dec) == $ip_dec);

I have pulled all of this logic together in a easily included file to provide a single function called ip_in_range($ip, $range) in which $ip is the IP address you want to validate and $range is a any of the above formats, Wildcard, Start-End addressing or CIDR.  The function will return a simple TRUE or FALSE if the IP is in that range.

The source code to the all-in function is available here:

With an example run (and source code):

I hope this article has been educational, please feel free to leave comments or feedback.