I'm going to start a series of short posts on stupid things developers do that they shouldn't. Some of these have been preached for years, some are just developers don't know any better.
So here goes...starting with security!
#1: Never use the SA account in a production database.
I worked with a company that purchased a time and billing database that was developed as a web application. Cool thing was that when we installed it, we had to change the SA password per their setup guide. When we looked at the code...SA was hard coded 138 times with this password! Guess using a config file was out of the question.
#2: Not unlike #1...Never leave the SA password blank.
OK. So Microsoft decides that you must set this when you first enable SQL authentication. So what do people set it to "blank"...Yes! the actual word.
#3: Corollary to #1 and #2...Don't set the ASPNET account to the "System Administrators" role inside SQL Server!
This is no different than using the SA account. You don't want users accessing your data in "god" mode.
Those are the biggest and worst ones--and the ones I see broken the most often.