Claiming that “register_globals is evil” is nothing but FUD. Not register_globals per se is evil, but lazy programmers that rely on it – or write flawed “deregistration layers”.
Contrary to self-proclaimed “security experts” claiming otherwise, there is a lot of PHP products that run very well with register_globals on or off, without having to resort to finger pointing at a language feature.
Do you “experts” also consider echo evil because it can be used to greatly faciliate XSS attacks by not filtering output? Or mysql_query() – because without it, SQL injection would not be possible? Your logic is seriously flawed.
