XKCD comic showing how SQL injection would delete a database.
Cross-Site Scripting (XSS)
Cross-site scripting is probably the biggest and most common problem.
With it, an attacker injects JavaScript code into your document by adding it
to the end of the URI as a parameter or in a form field.
Say you want to be cool and allow visitors to customize certain colors on
your page. You could do this easily in PHP:
1 <?php(^2) // predefine colors to use
(^3) $color = 'white';
(^4) $background = 'black';
(^5) // if there is a parameter called color, use that one
(^6) if(isset($_GET['color'])){
(^7) $color = $_GET['color'];
(^8) }
(^9) // if there is a parameter called background, use that one
(^10) if(isset($_GET['background'])){
(^11) $background = $_GET['background'];
(^12) }
13 ?>