社会工程:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

从bash.org

“网络编程安全101”风格的最大错误是招聘机构的搜索页面提供了“下一页”链接，这只是获取更多工作列表的SQL语句。您可以轻松地将此URL更改为任何其他SQL语句，包括“drop table X”。如果你这么做了，他们的整个网站都会完蛋。

前一段时间，JPG图像加载库的窗口存在安全漏洞。被电子邮件中的图像感染。消

Select * from user where user_id = '*userId*' and access_level = 0 or access_level = 1;

如果查询返回任何行，则它们被允许进入系统。围绕着“access_level = 0或access_level = 1”的括号将实现他们的意图。相反，只要有access_level为1的用户，任何人都可以进入。

我曾经做过一份工作，其中有一个用Java代码编写的安全层，用于检查用户是否有权编辑DB表列。这是函数的样子:

public boolean canEdit(User user, DBColumn column) {
    if(true) {
        return true;
    } else {
        return false;
    }
}

我的一家公用事业公司在他们的信用卡表单中没有使用自动完成="off"。

当然，他们不会存储你的信用卡信息(一件好事)，但想象一下当我支付第二个月的账单时，我有多害怕，我的浏览器竟然为我填写整个信用卡号码……