It doesn't allow the user (the one with the browser) set whatever variables they please. For example, if you had this:
<?
$built_in_password = "mypass";
// $password comes from a form
if ($password == $built_in_password) {
$loggedin = true;
}
if ($loggedin) {
print "Hey, this is very secret! don't tell anyone!";
}
?>
So, if you have register_globals on, someone could call your script like so:
script.php?loggedin=1
So now in your script $loggedin would be defined as 1, and so it will bypass the password checking and it will print the sensitive info!
In other words, it's not that $_GET[] makes your apps more secure. The problems lies with register_globals. But if the PHP developers remove register_globals (or turn it off by default), then they have to introduce some other way for you, the web app developer, to access GET, POST, etc, variables.
Diego
