CANDID: preventing sql injection attacks using dynamic candidate evaluations.