I am sorry to tell you that you AND your collegues are (probably) not producing secure code here. If there is one rule for server security it's this:

Never trust the client

No matter how hard you filter and check the input in your client program, there is in fact no way for you to be sure the client hasn't been compromised. Think for instance about an HTML form with javascript checks on the input. Anyone can turn javascript off, write an anternative form, write an alternative client with LWP etc etc etc. This is (at least theoretically) true for every client program.

You MUST test the input on the server side if you are going to do any potentionally dangerous things with it.

To answer your question though, the best way to demonstrate a security hole is to demonstrate exploiting it. Gather your coworkers around, enter some invalid data and see the system crash (or worse). Good security is not something that is achieved with only good intentions, it takes real effort and studying to do it right.

A very good guide to the various problems in this area can be found at the Open Web Application Security Project. Read it and let others read it. At the very least it will give your coworkers some feel for the variety of the problems. 

-- 
Joost       downtime n. The period during which a system
            is error-free and immune from user input.

[download]

In reply to Re: how could i make "them" understand that security IS important ? by Joost
in thread how could i make "them" understand that security IS important ? by iza

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.