Writing secure code does not guard against self-inflicted security holes when working with unmanaged resources such as databases.