I’m a firm believer in the old saying, “If it’s not broken, don’t ‘fix’ it!”, which is why most of my Joomla sites are still running PHP4.
Yes, you understood correctly about the glpbals.php tweak; it does attempt to mitigate register_globals=on. Whether or not it is more/less effective than actually setting them off is somewhat debatable - it does seem to plug the potential hole.
I don’t know that it is ever correct to say that anything “would …effectively solve all the security risks”, as anything accessable on the web risks being subjected to continual attacks. Think of it as an “arms race” - we plug an exploted bit of code, the bad guys find another attack vector, rinse, and repeat. Traditionally, the register_global=on setting has been popular with attackers, and changing it does eliminate that exposure, so it is a “good thing™”
The code you need to change in the script is to add a “substitution” regular expression, similar to the one used to modify the max upload - if you will be patient with me, I’ll inspect the PHP4 php.ini file for what is needed, and post a code snippet later tonight for inclusion in the script.
There won’t be any need for apache to be rebooted, as (I assume!) you are running PHP as CGI - all of this depends upon that. It would need to be rebooted if you were running mod-php as an apache module. When running PHP as CGI, the php.ini is read upon execution of the php.cgi, so apache doesn’t care.