I have seen a lot of SQL-based applications where the client application authenticates the user by some table within the database. Rather than using SQL or Windows authentication to authenticate the user before database access is granted, the application uses a common username (often the 'sa' user) that has full access to the database, and depends on constraints specified within the application's own authentication table to control what the user can and cannot do within the database.
This strikes me as terribly insecure, as it effectively exposes the highly privileged credentials (SQL credentials such as the 'sa' account) to all users. Users could then use these credentials to access and manipulate the databaseoutside of the application, potentially accessing and manipulating data that they should not have rights to.
It's my opinion that...