Indeed...that is the the way I take the approach to programming PHP...do not trust the client in the slightest. Anything is suspect coming from the client, though IP addresses are generally harder to spoof, but possible. Their email address could be fake, their session id may have been hijacked, there could be an attempted SQL injection in the form value, there could be someone trying to override an uninitialized variable through $_GET with register_globals on, and so on. The data from this function is useful, yes, but don't trust it.
"$question = ( to() ) ? be() : ~be();"