I need to use $_SERVER variables like SCRIPT_FILENAME for a mvc framework I'm writing. I'm wondering if a user can change things like that. Say the user requests index.php, can they fake the SCRIPT_FILENAME variable and rename it to something else that is being sent over?
Yes, it is possible.
Assuming that the user doesn't have access to some way that re-directs the execution of the script through another script, or access to the server, I'd say no. Also, if you're really worried about that, you can use __FILE__ which doesn't depend on user data.
Some $_SERVER values are safe, others are not. The unsafe ones mostly start with HTTP_ and are the HTTP headers sent by the user's browser.