Users run code (hopefully your code) when they:
- Load any “active” page (.php, .py, .asp etc.)
- Fill out forms
- Search
- Buy something
- Create an account
- Log in to an account
If you wrote the code, you know all too well that you’re letting visitors run it. If the site uses a database, users are touching it, directly or indirectly. What goes into the database is entirely your responsibility. Consider cross-site scripting, for instance: do you know how to prevent or detect it?
Tamper Data is a simple tool for (you guessed it) tampering with the data your browser sends to a web server (and vice-versa). Here’s an outdated example for the sake of simplicity:
This exploit won’t work in most places any more, but it’s a good illustration of how and why people will tamper with your site.