Actually there is good reason to have register_globals=Off by default. By not having variables ready when your script loads reduces the risk of tampering with them. If you have sloppy variable verification users can take advantage of it by feeding possibly malicious values.
It is encouraged to use $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS to verify needed variables. It's possible, for example, to forge cookie variable with GET if your code does not do additional checks with it.
So it's mainly for your own sake that you don't rely on automatically generated variables but explicitly check them with $HTTP_POST_VARS or others.
