From f0ed705e1ac34fed4c92979f63bee74c382f991b Mon Sep 17 00:00:00 2001
From: philip <philip@roshambo.org>
Date: Wed, 5 Mar 2025 09:35:47 -0800
Subject: [PATCH] Improved part that mentions register_globals and magic_quotes
 This closes https://github.com/php/doc-en/issues/4503

---
 security/variables.xml | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/security/variables.xml b/security/variables.xml
index 55c5a08fca..8b0925e90b 100644
--- a/security/variables.xml
+++ b/security/variables.xml
@@ -71,13 +71,24 @@ exec ($evil_var);
   improve it.
  </para>
  <para>
-  You may also want to consider turning off register_globals,
-  magic_quotes, or other convenience settings which may confuse
-  you as to the validity, source, or value of a given variable.
-  Working with <acronym>PHP</acronym> in error_reporting(E_ALL) mode can also help warn
-  you about variables being used before they are checked or
-  initialized (so you can prevent unusual data from being
-  operated upon).
+  Improve security by disabling convenience settings that obscure input
+  data's origin, validity, or integrity. Implicit variable creation and
+  unchecked input can lead to vulnerabilities like injection attacks and
+  data manipulation.
+ </para>
+ <para>
+  Features like <literal>register_globals</literal> and
+  <literal>magic_quotes</literal> (both removed in PHP 5.4.0) once contributed
+  to these risks by automatically creating variables from user input and
+  escaping data inconsistently. While no longer in PHP, similar risks persist
+  if input handling is mismanaged.
+ </para>
+ <para>
+  Enable <link linkend="function.error-reporting">error_reporting(E_ALL)</link> to
+  help detect uninitialized variables and validate input. Use strict types
+  (<link linkend="language.types.declarations.strict">declare(strict_types=1)</link>,
+  introduced in PHP 7) to enforce type safety, prevent unintended type conversions,
+  and improving overall security.
  </para>
 </chapter>