PHP is famous for its dynamic and interactive nature therefore, it may generate pages that let users to create their own usernames and passwords so PHP developers are using encryption methods to encrypt password before submission of forms field entry to the database field. Before sometime ago PHP web application programmers were using Message Digest Algorithm (MD5) function to encrypt the password into 128-bit string, but it was not sufficient against the modern attackers with modern technologies. Now most of the PHP website developers are using Secure Has Algorithm) SHA-1 function to create 160-bit string that is more secure than previous one.
In usual cases php.ini file consists of a setting termed as “register_globals” that means if this setting is on the server will create automatic global variables for many of the server’s variables and query strings. This is a big loophole in the security of the application. Therefore, many third party packages like CMS software, Joomla, Drupal etc. are demanding users to set register_globals off so automatic global variable generation stops and unauthorized users can’t access any sensitive data just guessing the name of the variable that validate the password. Thus, a smart PHP developer will set register_globals off in case of security issues.
We most of PHP web programmers are lazy at a point or sometime we are hard press to accomplish our task rapidly so client can reach at market earlier than her competitors we avoid thorough coding and good coding practices. Among these good practices giving the value to the variables which are validating the authentication process. Here value instantiation is important before the log-in procedure starts. If value installation is done we can prevent users from bypassing the verification process and get easy access to the protected areas which are not included in their access privileges. Moreover, value instantiation process block the users to start new sessions on an application, but some security issues remain their intact.
Conclusion :-
PHP is highly flexible web development language and this flexibility causes many problems as far as security is concern. In due course if we take some precautions before deploying PHP application we can save future damages with least efforts.