diff --git a/language/variables.xml b/language/variables.xml
index 79b8a83804..4f198903d1 100644
--- a/language/variables.xml
+++ b/language/variables.xml
@@ -432,7 +432,9 @@ $bar = &test();    // Invalid.
      These variables are created by PHP itself. The
      <varname>$HTTP_*_VARS</varname> variables are available only if
      the <link linkend="ini.track-vars">track_vars</link>
-     configuration is turned on.
+     configuration is turned on. When enabled, the variables are
+     always set, even if they are empty arrays. This prevents
+     a malicious user from spoofing these variables.
     </simpara>
 
     <note>