"The set of variable-names" is a so-called namespace. But it's a namespace upon which literally everything else depends so you never want user inputs (malicious or otherwise) to be able to create new ones or to arbitrarily access or change existing ones. That's a lesson that PHP programmers learned the hard way. (It's not so much the case anymore, but it used to be that you could achieve amazing things by tacking ?is_admin=1 to a URL-string.) Code that is written that way can never be made secure or stable.