Let's go through a list of case studies highlighting bad security practices in legacy PHP projects. We'll go over examples of object injection leading to a shell, custom cryptography gone bad, account hijacking via cross site request forgery and the usual SQLi and XSS vulnerabilities. The cases are presented with tips and tricks to help you notice these patterns, and what you can do to prioritize those issues and foster a culture of security.