An IP address helps Facebook and Google to determine whether someone trying to access your account is in fact you. I've seen proxies able to "spoof" the IP address, but that wouldn't change it to the correct one for access to that account. If someone knew my IP address and password to one of my accounts, would it be possible for someone to spoof their IP address to match mine? Is IP address security like this really safe and would it be good to incorporate it into my php scripts?

You can't really spoof an IP effectively because if you do, http responses will go to that IP rather than yours. As such, it'd probably not be the best use of your time. (They can be fake, but they can't receive the intended data.)

By "receive the intended data", I mean that if someone at 127.0.9.63 tries to send a login request to Google, and spoofs their IP to be 123.53.53.234, then Google will send the response to 123.53.53.234, not 127.0.9.63. That means that the would-be hacker at 127.0.9.63 never actually receives any data pertaining to your account.

This is a risk (but probably not to you) - it's a well established way of conducting DDoS (Distributed Denial of Service) attacks. Have a look at this article if you're curious.

The first thing to know is that if someone knows your IP and tries to spoof it, they cannot receive any responses since the response would be sent to your IP. So logging into a website with a spoofed IP is generally not possible.

Also worth knowing is that any ISPs now are able to prevent IP spoofing by filtering out requests originating from their network which come from IP addresses not part of their network.

The spoofer project has a lot of useful information on the subject, including ISPs from which you can and cannot spoof.

IP security is not safe at all. It is super easy for anyone to find your IP and then spoof it to be you. Checking that a person is the right person based on IP is not a strong form of security, but it does help a little. I would suggest using a cookie on the client machine in question such that a unique key is stored on that machine that would have to match one stored in the DB of your server. That would be much safer.

An IP address can be entirely faked, but cannot receive any packets in response. So if they knew your IP address they could not use it to pretend to be you. However, I think you're mistaken that Google and Facebook use a specific IP address to determine who you are. They may use geolocation to guess plausibility, but they generally use cookies to recognize your machine when you're coming back.

IP Spoofing across different routers and across IPS's is not possible.

You can very easily do IP Spoofing within a WLAN, particularly easily if you're doing a MITM attack and using tools like ettercap filters. But going outside of the WLAN? Nope. Routers know what IPs are within each area and if an IP that is invalid in an area claims to come from it, it will kill the packet.

Yes, IP Addresses can be faked, sort of You can't receive any data back from requests made with a faked IP. I wouldn't say that method is "that safe", but it's just another layer of security to reduce the possibility of a problem. the more layers the more work it is for a hacker to deal with. Nothing is 100% secure.