Cookies store client state information locally ... A malicious user, or malware, can modify cookies to inject SQL into the back-end database. Server variables such as HTTP headers can also ...