@bontchev @adamshostack My favorite example: programmers are taught to use prepared statements, so at first it seems their app doesn't have any SQLi's. Until they add a feature where the user controls result set ordering: you can't use bound variables for field names, so there's a vuln 90% of the time (IME, with wildly different dev teams).