Yes, anything passed in the URL can be obviously altered which is why you should always check the data you receive (validation). The real issue with using register globals is that it is a very easy way for unscrupulous people to change your code. Never rely on receiving what you expect...check for it and discard anything that doesn't fit.

The elimination of register global variables reduces the chance of malicious users "leaking in" variables that have nasty content. Now you have to explicitly import these variables with $_GET, $_POST, or $_REQUEST, which cuts the chances that you've forgotten to give valid default values before importing the actual value (if any) with $_REQUEST, etc. Of course, you still should validate a variable's data before making use of it, to prevent injection attacks and the like. It doesn't matter how a variable used in your code arrived (explicitly via $_REQUEST, or implicitly via register global variables) if it contains bogus content. Turning off register globals simply forces you to take an extra step and be a little more careful in your code design, so that you can't overlook setting your variables along any possible code path.