It's a tie between 3 things for me.

1. md5 hashed passwords
2. post variable concatenated into sql with no checks
3. admin login over http

sad thing is that all 3 was one website I redid a few years ago

Can you detail the second one

@danielmm Probably running queries with user input without sanitation

@danielmm the login where statement for mysql was

WHERE username='". $_POST ['username']."' AND password='".md5($_POST ['password'])."'

so yeah I don't know how that site never got hit hard before I got my hands on it

@jckimble oh lol wtf

@danielmm yeah every class wtf fuck up that could be done in less than 30 characters. sql injection, md5, no salt. the whole damn site could have been hacked in an hour using rainbow tables. btw did I say they had no automated backup and relied on their hosting to backup their site

I got you beat. Plaintext passwords plus #2 and 3. 😉 Usually form vars had apostrophes duplicated, but not always, and not a parameterized query in sight.

@spongessuck I call unsalted md5 hashes the same as plain text since they are online rainbow tables of md5 hashes

Oh my god i just got brought another one plain text passwords in the database, post variables excaped by addslashes only. Trying to figure out who wrote this sorry pos