I am putting together a list of things developers do with SQL (either in design or in accessing) that they shouldn't do. Ultimately I am going to put this together into a session called “SQL Server Data Access Developer Don'ts (10 Things You Currently Do That You Shouldn't).” So, please post anything you have seen that made you cringe. I will take the entire list and filter it down to the top ten things that we should put a stop to.
Example:
Developers shouldn't be accessing their database using the SysAdmin (sa) account. THis has to many privelages and a malicious user can take advantage of this. Using a SQL Injection attack a malicious user can access all tables in the database, or even worse, the dreaded xp_cmdshell extended stored procedure.
Thanks!