The problem isn't in PHP, it's in bad programming.
For instance if register_globals is on then something like this might happen:
The page might be coded like this:
PHP Code:
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
So when the script links to example.com/index.php?password=c3g4H2m
the user would be taken to admin area (note that this is a poor example since noone should code like this but you'll get the point).
So the script above would take the user to the Admin area if he provides the right password.
But, a hacker (or someone curious enough) might write this into his adress bar: example.com/index.php?authorised=1
He too would be taken to the Admin area.
The problem in the script above is that the $authorised variable was left uninitialized.
So to fix this security risk the code should be:
PHP Code:
$authorised="0";
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
Thus by initializing the variable it doesn't matter what the hacker wrote since the variable is set to 0 on the first line.
But the safest way is to have register_globals off and than the code should look like this:
PHP Code:
if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
So, now your script accepts only the variable specified in the $_GET, and you can leave the $authorised uninitialized since noone can tamper with it.
Also note that the script above is very unsecure and it was written only as an example so noone should use it for an actual login.