Think about this... how much time do you spend per day trying to fix things (that get thrown in your direction unexpectedly), then realize they aren't really broken, then try and get back to the work you're supposed to do.
Eventually one just wants to give up and rather page through some posts or bash a penguin or two.
I guess one of my all-time-favourite articles - “Understanding the Psychology of Programming” sheds some light onto this frustrating situation.
I attended a Microsoft Security conference yesterday. It's amazing to see some of the simple techniques that can be used to break your site... i.e. Cross Site scripting and buffer overruns (which are rather complex, but definitely very evil).
The one technique I thought was most dangerous - +SQL Injection+. When using ADO.Net I always stick to stored procedures and parameters, but purely out of good practice. However - I've been lazy in the past and written code like this to verify a user for example...
mySqlCommand = "SELECT id FROM users WHERE userName = '" + un + "' AND password = '" + pwd + "'";
Now imagine our innocent user typing - "' OR 1=1 --" into our username textbox.
OUCH, now our query looks like this...
" SELECT id FROM users WHERE username = '' OR 1=1 --' AND password = 'whatever' "
Easy access to your application? Or how about this...
" SELECT id FROM users WHERE username = '' OR 1=1; DROP TABLE users --' AND password = 'whatever' "
That's even worse!
So, for security reasons, always use stored procedures and parameters (or even just parameters in the raw sql string will be better than the concat option). Never concat strings to build up your statements. And don't show the user error messages that will help him (or her) understand your application structure/database schema.