Zipped source code: http://6.470.scripts.mit.edu/lectures/security/security_in_w...

Live source code: http://github.com/costan/security_in_webapps_slides

1) Don't use anything fast (like md5) to hash your passwords. Use many-rounds of md5 or sha-1, or use something specifically designed for password hashing like eksblowfish

2) Don't escape your SQL, use parameterized queries

How good is md5 plus a 4-character (digits, actually, in the slides) salt?