Fixes for related issues:

https://security.drupal.org/node/104803#comment-77068
https://drupal.org/node/2269059

Removed cast to (int) to ensure is_numeric() immediately after doesn't always pass, also added additional check in if statement to be doubly secure
Changed so both instances of variable_get('webserver_auth_create_user') default to same value (FALSE)