Somewhere out there is the second program I ever wrote professionally. Within that program is the greatest SQL injection vulnerability of all time. It's not subtle issue where I forgot to properly sanitize user inputs. Nope, it's a page that explains in big, bold, friendly letters that any text you type into the text field will be immediately sent raw to the server for processing. It might be the world's only self-documenting SQL injection exploit.
I tell myself that the page is only accessible through the administration interface, which is itself only accessible from the sysadmin's computer and with a proper password. I remind myself that there is no PII in the database and that the worst case scenario, if the system is cracked, is that someone has to count all the desks in the building again. I remember the fact that the client specifically wanted this feature.
But, mostly, I just console myself with the knowledge that my name isn't in the source code, so whatever poor bastard is maintaining that monstrosity now can't track me down.
I once wrote a parameter parsing function for a home-grown web framework (first job, over ten years ago). One of its features was correct handling of parameter arrays, e.g. foo[42][]=bar&foo[42][]=baz would be converted into {foo: {42: ["bar", "baz"]}}.
In my naivety (but laudable desire for code reuse and simple implementation(!)), I parsed the brackets using eval. Without sanitisation.
And the worst thing is, this was only noticed by someone in their job interview, when we asked them a question based on our production code. They got the job :)
I tell myself that the page is only accessible through the administration interface, which is itself only accessible from the sysadmin's computer and with a proper password. I remind myself that there is no PII in the database and that the worst case scenario, if the system is cracked, is that someone has to count all the desks in the building again. I remember the fact that the client specifically wanted this feature.
But, mostly, I just console myself with the knowledge that my name isn't in the source code, so whatever poor bastard is maintaining that monstrosity now can't track me down.