The .php extension causes the PHP interpreter to process the file instead of displaying its contents. Displaying the contents might reveal useful information for breaching the security of your site, such as passwords or the inner workings of your code.
Solution to Question 14-2
The sh1() function creates a 160-bit key instead of md5()'s 128-bit string. It also uses a superior algorithm for making it difficult to determine the values that generate a particular encoding.
Solution to Question 14-3
If a malicious user knows that you're storing the logged-in user's ID in an automatic global variable, it's easy for him to send in his own value for the user ID as a URL parameter. He can then become any user.
Solution to Question 14-4
Untrustworthy data, or data that a user can easily manipulate before it is submitted to your program, includes: