1. user could attempt to modify the parameters even the parameter is not in url.
  2. user could inject javascript into the text that allow them to submit.
  3. user could injuect sql into the text that allow them to submit--so never use directly the user input as a parameter of a sql query.
  4. don't believe that the user will change the default password, they are lazy.
  5. password and any sensitive date need to be one-way encrypt
  6. According to the National Vulnerability Database, approximately 4,500 common vulnerabilities and exposures (CVEs)
  7. redirect and forward should not involve user's input, in case be direct to malware website.
-- Sam 07:54 23/05/2017

Please click here to login and add comments! || automatically refresh content every seconds