信不信由你，我最近在一个网站上发现了这个:

eval($_GET['code']);

服务器甚至没有安全模式…

瑞典的一家在线dvd租赁店在查询字符串中发送了纯sql语句。

如果你在菜单框中选择了“Comedy”类别，它会将“select * from movies where category=2”作为查询字符串发送给movielist-frame，然后执行sql语句并显示所有符合条件的电影。

在您的订单中添加电影时也是如此。

只要将查询更改为“从电影中删除*”和“从订单中删除*”，该公司就会大获成功。

我所见过的最糟糕的安全漏洞是，人们在firefox账户上不使用主密码，即使他们让它保存了所有的密码。这意味着任何能拿到你账户文件的人都能窃取你所有的密码。使用主密码。

默认登录凭据，特别是当是admin/root和密码时。

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

在我以前工作的店里有个不错的。通往非公共区域的门有小键盘，所以你必须输入pin码才能进入。然而，你只需按#，门就会打开，这是我们喜欢的事实，因为按#比按6位pin码容易得多。