It could be spoofed though, but I guess there's no simple way to validate that.

What I intended to use it for was to check how many times a specific ip had accessed the script to prevent flooding. I'm probably being overparanoid here and will just end up blocking some proxies - what do you think?