In the last episode (Dec 12), James McLaughlin said:
> The new programmer for our company is not using the dataType
> "password" or any encryption what so ever for our user accounts
> (accounts that our customers use for getting into our system) in our
> Instead he is using the VarChar dataType.
> Can someone explain to me how I can exploit this and show them it is
> very dangerous. á
It's only dangerous if a customer can trick your web frontend into
displaying the output of "SELECT * FROM USERS", for example. If the
frontend only uses hardcoded queries, or quotes every user-supplied
parameter, there's no problem. In fact, you need the password in
plaintext to support a "I forgot my password; email it to me" feature.