I read somewhere they said that HTTP_X_FORWARDED_FOR is not a trusted variables when you want to log the user's IP because they can change that. Is it real? And how?

Thanks a lot!

The proxy used can set this header to anything it wants to, and therefore you can't trust its value. Most proxies do set the correct value though. This header is mostly used by caching proxies, and in those cases you're in control of the proxy and can thus verify that is gives you the correct information. In all other cases its value should be considered untrustworthy. Read more on the Wikipedia article about X-Forwarded-For.

That's correct, download Fiddler to see how all HTTP Request can modified. Also it's a good idea to learn how HTTP works, then it'll be crystal clear.

As pointed out in the answer here, the correct header for HTTP_X_FORWARDED_FOR variable is x-forwarded-for. So you can set a custom request in Fiddler:

GET http://my.site/ HTTP/1.1
User-Agent: Fiddler
x-forwarded-for: my.x.forward.for.value
Host: my.host