Big Problem of IIS. Is PHP can prevent it?

Because user can pass variable and value via Addressbar
for example
http://www.xxxxxx.com?auth=1&name=username;

I think it a big problem in security because it can assign all variable?

Recently, I know that we can access and edit file on All server that use IIS (only IIS not Apache or other). By query instruction after address bar. I don't know this instruction but ever seen it. it long instruction. My friend can do it but he don't tell me? :(

If someone has known this problem please explanation more detail, How to do, and how to prevent, especially how to prevent user type command or vairable after url of website

Set register_globals to off in your php.ini and install the latest security patches for the code red worm.

Can you explain me why set register_globals = off. Is this can solve problem with query string via address bar. And Is code Red worm involve
this problem

Register globals is a setting in php.ini which when on registers the EGPCS (GET, POST, Cookie, Environment and Built-in variables, not in that order!) variables as global. So, variables in the url will automatically become variables in the script. This is the setting:

register_globals = On

Sean :)