Sometimes other developers just amaze with their brilliance, or their craziness. For the latter, here is an example.
We had a system whereby the ID of each entity in a database was being encrypted, before being included in a URL – which could then be used to access some service. For example, a user might have ID=1234, which when encrypted was ABCDEFG987. They could then access personalised content via link that ended ABCEDF987.
The backend code, therefore, had to take an encrypted ID, and then deduce which user it belonged to. The simple way would be to decrypt the encrypted string (ABCEDF987 in the example above) to get back to the user’s ID (1234 in our example), then issue a simple query to get the User with that ID.
What someone did, however, was loop through every single User in the database, encrypting their ID and then comparing this to the encrypted string from the URL. With six million-odd users in the database, and an encryption algorithm that is deliberately quite resource intensive, this was a recipe for disaster.