PHP has a legacy misfeature that makes it slightly easier to access GET and POST parameters. For example, if there is a POST parameter named myparm, PHP can automatically extract it and put it in a variable named $myparm. Unfortunately, this is a tremendous security risk, because you can set any global variable this way, and if you forget to initialize a variable, the user could manipulate vulnerable parts of your script.

You can disable this feature by turning the register_globals variable to Off in your server's php.ini file :

register_globals = Off

Fortunately, this feature is turned off on PHP versions 4.2 or higher. However, it's such a problem that you should always double-check.