coopster - 6:12 pm on Mar 13, 2008 (gmt 0)

The address might be faked

... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.

'REMOTE_HOST' is only available if "HostnameLookups" is set to "on" in apache's configuration.

This is not entirely true. But don't feel bad, there are very few people that realize if you use Allow [httpd.apache.org]/Deny directives with a partial domain-name match Apache will indeed populate the REMOTE_HOST environment variable, regardless of the setting of the HostnameLookups directive. This happens because it causes Apache to perform a double reverse DNS lookup on the client IP address.