I just found out you can use <!-- --> brackets in PHP to inject commands in unsecured forms. I couldn't find any information about these brackets in PHP. I know they're used in XML structures. I tried googling but google simple escapes those brackets.
Are they similar to /* */ comments in PHP?
Edit: Here's where I found out. http://nacereddine.wordpress.com/2008/10/02/hack-this-site-basic-8/
This has nothing to do with PHP, it's with SSI, which uses <!--#command--> as its syntax.
<-- starts an HTML comment.
--> ends an HTML comment.
Back before PHP gained the dominance that it enjoys today, web developers wanted ways to have Web Servers product dynamic content without having to learn how to program. The led to the invention of Server Side Includes (SSI). You'd invoke an SSI with the following syntax
<-- #ssi-directive-name list="of" the="paramaters" -->
The most common of these was the <-- #include ... directive, which allowed you to include the contents of another file. The HTML comment like syntax was chosen so that the directive could be included in an HTML document and still be considered valid HTML.
Even back then, use of the #exec directive was frowned upon. It was thought that having a web request kickoff a process on the server was just asking for trouble. That said, the linked article is horrible written. In order to use SSI to compromise passwords on a server, you'de need rights (either hacked or granted) to create files on the server. The security hole here isn't so much support for SSI's exec being on (although it shouldn't be on), but rather some other hole that allowed a user access write access to the machine in the first place.
If it isn't clear, this has nothing to do with PHP.