Timing attacks, clocks, RNG, entropy starvation…
theory vs. development, counter measures against hackers
“Code needs to work!” “This is why PHP is good” escaping = blacklist = does not work most of the time
hard to grep for missing escape 🙁
give data context/meta-data (code/command, data/user input)