Andrew Garrett wrote:
We were checking $_SERVER['X_FORWARDED_FOR'],
which reads the X-
Forwarded-For header. Unfortunately, it could be overridden by sending
an X_Forwarded_For header.
We resolved it by using the apache-specific header retrieval functions
instead of PHP's broken internal implementation.
It's not PHP's fault. The HTTP_* environment variables are part of the
CGI standard, which provides no way to distinguish between
X-Forwarded-For and x_forwarded_for.
http://hoohoo.ncsa.illinois.edu/cgi/env.html#headers
So really it's NCSA's fault for inventing such a broken protocol, and
Apache's fault for implementing it. There's not much PHP can do at
that point, apart from implementing SAPI-specific workarounds, which
is what they did.
-- Tim Starling