DISCLAIMER: Expressed views on this blog are my own.
Let me put this quite simply.... They are not to be trusted. Treat them just like how you would treat user input because it can be spoofedl. Sooo, what should you do? I suggest using SetEnv inside of the htaccess file or the global config file. Use SetEnv to set a domain name variable with your domain and use that.
It is much easier to use HTTP_HOST or SERVER_NAME, but the dangers of XSS or SQL injection if you use these variables in various places. Most, if not all, tutorials will tell you to use these. You've opened an attack vector by using these. Absolutely horrible.
It is not worth sacrificing security for convenience.
