coopster - 1:56 pm on Mar 13, 2008 (gmt 0)

Well said. Don't trust user-supplied input. Period.

Can I assume that all the various $_SERVER[] variables are always safe to use, and can't be manipulated from the outside?

No. As stated, many are user-supplied. In the case of REMOTE_ADDR you can use a regular expression to check for an IP address. If it doesn't look like one, discard it, send an error message, log the issue, ... however you decide to handle it. Bare minimum, I strip_tags() before using htmlentities() to display the information.