Stefan Esser has posted this new piece over on the PHP Security Blog today with is opinion on why register_globals is not evil (cue the flames now).

During the last months, more and more self proclaimed PHP security experts have started spreading the FUD, that register_globals is evil and that you should always switch it off, when you develop or deploy an application. This has resulted in vendors ignoring or playing down vulnerabilities, which are only exploitable when register_globals is turned on. Even when their own hoster has this option activated, they claim the vulnerability is in PHP's register_globals and not in their application.

I strongly disagree with this kind of argumentation and because I see similiarities with the actions of a certain big software company I usually refer to it as Trustworthy PHPing.

He states that it's not really register_globals' fault that there's so much security buzz around it - it's merely a "modus operandi" for some more serious flaws - ones it the applications themselves. Of course, he still suggests turning it off, but only for the sake of protecting those unknowingly running vulnerable code.

So the message is: switching register_globals to off is a good advise for a "Howto set up a secure PHP server". But under no circumstances should this option be mentioned in a tutorial about writting secure PHP code, because this educates people in the wrong way.