Actually, I would be prone to trust $_SERVER['REMOTE_ADDR'] , as if that is incorrect, the server will not know where to send the response (as in a spoofed IP). I have yet to have a problem with that.
The function you should be wary of, is $_SERVER["REMOTE_HOST"] . If there has been some DNS poisoning going on, this will steer you wrong, and even gethostbyaddr($detected_ip) can't be perfectly trusted. However, once they started hopping DNS ports, this is alot more sure. Of course, if global variables are on, all bets are off.
But other than that, the lack of variable sanitization before playing with SQL, is atrocious in the example script.
Skiddies dream of stuff like that being exposed.