Andrew Garrett wrote:
We were checking $_SERVER['X_FORWARDED_FOR'], which reads the X- Forwarded-For header. Unfortunately, it could be overridden by sending an X_Forwarded_For header.
We resolved it by using the apache-specific header retrieval functions instead of PHP's broken internal implementation.
It's not PHP's fault. The HTTP_* environment variables are part of the CGI standard, which provides no way to distinguish between X-Forwarded-For and x_forwarded_for.
http://hoohoo.ncsa.illinois.edu/cgi/env.html#headers
So really it's NCSA's fault for inventing such a broken protocol, and Apache's fault for implementing it. There's not much PHP can do at that point, apart from implementing SAPI-specific workarounds, which is what they did.
-- Tim Starling