I found this on my WordPress news thang when I logged in today. Another WordPress user decided to write this article so that other developers would know that $_SERVER variable is NOT safe.
Even though Mark just talks about forms I would recommend you never use a $_SERVER variable, there are better and more secure ways to gain server information. It is so important that developers who do not know this understand that $_SERVER variable are NOT fine within your pages and you should always seek a workaround.
The server variable is not safe raw however certain variables can be used in your code (such as REMOTE_ADDR etc). But I stand by what I said like 2 years ago, that PHP_SELF is “evil”.
Who’s the stupid one now? 😛