Making code work with register_globals turned off

You could manually 'fake' the register globals effect but add some security. (I partly grabbed this from the osCommerce fork called xoops)

//  Detect bad global variables
$bad_global_list = array('GLOBALS', '_SESSION', 'HTTP_SESSION_VARS', '_GET', 'HTTP_GET_VARS', '_POST', 'HTTP_POST_VARS', '_COOKIE', 'HTTP_COOKIE_VARS', '_REQUEST', '_SERVER', 'HTTP_SERVER_VARS', '_ENV', 'HTTP_ENV_VARS', '_FILES', 'HTTP_POST_FILES');
foreach ($bad_global_list as $bad_global ) {
    if ( isset( $_REQUEST[$bad_global] ) ) {
        die('Bad Global');
    }
}

//  Make global variables
foreach ($_REQUEST as $name -> $value) {
    $$name = $value; // Creates a varable nammed $name equal to $value.
}

Though you'd want to tweak it to make your code more secure, at least by adding your global configuration variables (like the path and base url) to the bad globals list.

You could also use it to easily compile a list of all used get/post variables to help you eventually replace all occurrences of, say $return_url, with $_REQUEST['return_url];

If you set error reporting to E_ALL, it warns in the error log about undefined variables complete with filename and line number (assuming you are logging to a file). However, it will warn only if when it comes across an undefined variable, so I think you will have to test each code path. Running php from the command line doesn't seem to help also.

There is a debugging tool named xdebug, haven't tried it, but maybe that can be useful?

I wrote a script using the built-in Tokenizer functions. Its pretty rough but it worked for the code base I was working on. I believe you could also use CodeSniffer.