Check if an IPv4 Address is Inside a CIDR Range

Allowlists, rate-limit exemptions, and access rules are often expressed as CIDR blocks like 10.0.0.0/8, and you need to test whether a given address falls inside one. The check is pure integer arithmetic once you stop thinking of addresses as strings, which makes it fast enough to run on every request without a second thought.

The function converts both the candidate address and the network address to 32-bit integers with ip2long, builds a netmask by shifting negative one left by the number of host bits, and compares the two addresses after masking off the host portion. If the network bits match, the address is in the block. A prefix length of zero matches every address by definition, and any address that fails to parse raises an error instead of silently returning a wrong answer.

function ipInCidr(string $ip, string $cidr): bool {
    [$subnet, $prefix] = explode('/', $cidr) + [1 => '32'];
    $prefix = (int) $prefix;
    $ipLong = ip2long($ip);
    $subnetLong = ip2long($subnet);
    if ($ipLong === false || $subnetLong === false) {
        throw new InvalidArgumentException('Invalid IPv4 address');
    }
    if ($prefix < 0 || $prefix > 32) {
        throw new InvalidArgumentException('Prefix must be 0 to 32');
    }
    if ($prefix === 0) {
        return true;
    }
    $mask = -1 << (32 - $prefix);
    return ($ipLong & $mask) === ($subnetLong & $mask);
}

var_dump(ipInCidr('192.168.1.50', '192.168.1.0/24')); // true
var_dump(ipInCidr('10.0.0.5', '192.168.0.0/16'));      // false
var_dump(ipInCidr('172.16.4.9', '172.16.0.0/12'));     // true