According to this post: Which $_SERVER variables are safe? and another I’ve seen, a client seems to be able to set custom $_SERVER variables. For example: $_SERVER[‘HTTP_EXAMPLE’]
How would a client actually set a value to $_SERVER[‘HTTP_EXAMPLE’]?
If you have access to the Apache config file, you can do it using mod_env
SetEnv HTTP_EXAMPLE http_example
Then you can access that variable
echo $_SERVER["HTTP_EXAMPLE"]; //outputs http_example
You can just set the variable in your script if you want
$_SERVER['DOCUMENT_ROOT'] = 'test'; echo $_SERVER['DOCUMENT_ROOT']; // test
What that other article is really referring to spoofed variables such as the
REMOTE_ADDR which is reported by the client.
For more info on that check out this post on faking the REMOTE_ADDR. How to fake $_SERVER['REMOTE_ADDR'] variable?