About 10 years ago my friend asked me to help him out in a huge job of rewriting a webshop from scratch. He dove deep into the docs and started to fiddle with php code injection. This is when you use an input field that's running through the database to execute malicious code like drop table or similar hacks. He was aware that three major competitor bought the same product so he went to the first one... boom. He got the admin password in no time. Went to the second, same result. He sat down with the CEO to discuss whether to destroy the competitors, and they decided not to. They even wrote a letter to both about the vounerability. A few weeks later we did another check just for fun, and the input still wasn't sanitized.