What does register_globals do?

By raheem

Register globals makes it *really* easy to code in php. It’s what takes the uri
or posted form data, and turns them into global variables in your script.

So if a url looked like:

http://www.fakename.com/index.php?target=help

and with register-globals on, php will create a variable, $target, which has the
value ‘help’ in it. It’s very useful and friendly but, if you don’t initialize
your variables then some non-so-nice person could initialize them for you by
passing them on the uri/post/cookie/etc so that your code no longer works as
expected.

You’re safe with it on if you always initialize variables, and set
error_reporting to E_ALL while testing so you catch any you might otherwise
miss.

If you leave it off, you need to use the associative arrays $_POST, $_GET etc.
The above example would be $_GET['target'].

Taken from this site

Why was register_globals disabled in PHP?
Register_globals was set to off by starting with PHP 4.2.0. When this setting is set to on, your script is automatically injected with various environment, get, post and cookie information set to variables. This poses a security risk since the environment variables could be set externally by using the URL. The following link provides a nice example of the security risk of setting register_globals to ON.
How register_globals can lead to insecure code